Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Restricts All New Firefox Features To HTTPS Only (bleepingcomputer.com)

Posted by msmash on from the to-a-safer-world dept.

An anonymous reader shares a report: In a groundbreaking statement earlier this week, Mozilla announced that all web-based features that will ship with Firefox in the future must be served on over a secure HTTPS connection (a "secure context"). "Effective immediately, all new features that are web-exposed are to be restricted to secure contexts," said Anne van Kesteren, a Mozilla engineer and author of several open web standards. This means that if Firefox will add support for a new standard/feature starting tomorrow, if that standard/feature carries out communications between the browser and an external server, those communications must be carried out via HTTPS or the standard/feature will not work in Firefox. The decision does not affect already existing standards/features, but Mozilla hopes all Firefox features "will be considered on a case-by-case basis," and will slowly move to secure contexts (HTTPS) exclusively in the future.

7 of 243 comments (clear)

  1. Loyal Firefox user for over a decade now. by fishscene · · Score: 5, Insightful

    ...and this might be the one thing that gets me off the Firefox bandwagon as it is an incredibly backwards move. TONS of stuff does NOT need https and does not need the overhead HTTPS incurs both in processing time and certificate management. Also, do I really need HTTPS for stuff on my trusted LAN? No? So now I have to jump through hoops to enable developer mode? Just... what are they thinking? What is the recommended fork of Firefox these days? Pale Moon?

    1. Re:Loyal Firefox user for over a decade now. by QuietLagoon · · Score: 4, Interesting

      ...Just... what are they thinking?...

      Who knows if they are even thinking at all. The crowd that currently appears to be in charge at Mozilla seems to have a really strange perception of what the Firefox users want, and a strange perception of security. Yesterday I tried to log into the Mozilla site, but I was not allowed to because I would not let Mozilla persistently store tracking data on my PC. I allowed session cookies, but that wasn't good enough for them. Apparently they wanted access to offline web content storage.

    2. Re:Loyal Firefox user for over a decade now. by Eravnrekaree · · Score: 3, Interesting

      The LAN issue is an interesting one, maybe Firefox should make an exception for the private IP addresses ranges. That would be reasonable. On the other hand, I am all for HTTPS for everything else, even eventually dropping non-SSL support altogether.

  2. Then is non-standard by williamyf · · Score: 3, Insightful

    If the Standard call for a feature to work on Both HTTP and HTTPS, and you implement only HTTPS, then is not an standards compliant implementation...

    Come on Mozilla Foundation! Those heavy-handed tactics could work when your market share was about 50%, but not anymore...

    JM2C, YMMV

    --
    *** Suerte a todos y Feliz dia!
  3. Encryption is the new fad by RightwingNutjob · · Score: 3, Insightful

    Last month bitcoin was the new fad. These silicon valley types must have been drinking too much Raw Water(TM) picked up some brain parasites.

    Very little needs to be encrypted or authenticated. Not everything that needs to be encrypted when going through the open internet needs to be encrypted or authenticated when happening on a closed LAN. Encryption isn't for free. SSL certificate management isn't for free. When stepping away from the half of web browser use that happens on the open internet and into the other half that happens on closed networks, it is wasted effort for no benefit.

  4. Cleartext HTTP vulnerable to script injection by tepples · · Score: 4, Insightful

    I run several websites, and not a single one of them needs HTTPS for anything.

    How do you assure visitors of the several websites you run that the markup, stylesheets, images, fonts, and possibly scripts on your site have not been modified in transit by an intercepting proxy between your server and the viewer's machine? Comcast, for example, has been shown to inject advertisement scripts into HTML documents delivered through cleartext HTTP.

    OMG, a MITM might substitute fake data! How awful!

    Thus you answer your own question. It is awful.

  5. Re:Router, printer, NAS, and other FQDNless device by Octorian · · Score: 4, Informative

    Let's Encrypt has short-lived certificates, which are kinda useless and annoying when you have a device that is *not* a general-purpose computer capable of running their scripts.

    Am I really going to do a manual process on every cable modem, WAP, router, printer, switch, AP, IoT device, etc, every 3 months?

    The "local network devices" problem is a real problem, and its never given proper attention in these HTTPS proclamations.

    I "solved" it for myself by setting up a local CA to make certs for my stuff. Unfortunately, getting the cert for that CA into all my browsers is annoying, and can introduce its own share of issues.