Mozilla - Deprecating Non-Secure HTTP

15 réponses [Dernière contribution]
gnuvideoro
Hors ligne
A rejoint: 06/15/2014

Hi there,

I don't know if it's ok to post this here but has anyone red this https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/ ?

It's just me or Mozilla is crazy ?

How could this affect Abrowser and IceCat?

I know HTTPS is better than HTTP but to force everyone to switch I don't think is a good idea.

What do you think about this?

SuperTramp83

I am a translator!

Hors ligne
A rejoint: 10/31/2014
quantumgravity
Hors ligne
A rejoint: 04/22/2013

Sounds actually great - i mean, really great.
Completely replacing http with https would be a huge achievement for privacy.

SuperTramp83

I am a translator!

Hors ligne
A rejoint: 10/31/2014

quantum - exactly! :)

gnuvideoro
Hors ligne
A rejoint: 06/15/2014

Hello,

I know about Let's Encrypt and I believe it's a great idea. But helping people switch from HTTP to HTTPS is one thing and forcing people to switch is another.

I believe this decision will affect both users and website owners, at least for a long period of time because:

- some users (actually a lot of them) don't know the issues with HTTP and they will believe it's the browsers fault and probably they will switch to another, proprietary maybe.

- some website owners don't know about Let's Encrypt and that they can get a good certificate for free. Choosing a free certificate nowadays is not quite easy.

- some website owners don't have the money to buy one or don't care. When users will start to complain that the website is not displayed correctly those website owners will tell their visitors to change the browser.

I don't think it's a win situation for anyone, at least not for now.

For a big period of time a believe a lot of users will switch to another browser. They will also think, maybe, free software is not for them.

Getting them back will be a pain also.

J.B. Nicholson-Owens
Hors ligne
A rejoint: 06/09/2014

name at domain wrote:
> I know about Let's Encrypt and I believe it's a great idea. But helping
> people switch from HTTP to HTTPS is one thing and forcing people to
> switch is another.

Censorious world governments, Comcast, AT&T, and other organizations are
forcing this switch when you consider this from the perspective of data
integrity and authentication. Those organizations are inspecting what
people upload and download, and/or injecting data into webpages users
receive en route. The Mozilla FAQ[1] was quite clear about this:

> [...]as long as your site is not secure, it can be used as a weapon
> against your users and against other web sites. More non­secure sites
> means more risk for the overall Web.

One should place blame where it belongs, not with efforts making changes
that should have been made long ago.

[1] https://blog.mozilla.org/security/files/2015/05/HTTPS-FAQ.pdf
specifically "But there's nothing secret on my site! Why should I bother
with encryption?".

Mangy Dog

I am a member!

I am a translator!

Hors ligne
A rejoint: 03/15/2015

I'm not convinced by the way it's enforced upon and the comments on that Mozilla page are well worth reading,some lift proper and well placed objections and concerns

as Lestat wrote on May 1, 2015 at 7:30 am:

What about hobby projects which do only offer static HTML pages? This is a whole discrimination of small webprojects which either see no reason moving on towards HTTPS or have neither time or the necessary knowledge.

ssdclickofdeath
Hors ligne
A rejoint: 05/18/2013

This probably won't work out too well for old websites that aren't maintained anymore.

a_slacker_here
Hors ligne
A rejoint: 06/29/2013

I don't understand mozilla: on one hand, they decide to include anti-privacy and annoying features like adds included inside the browser and third party cookies enabled by default and on the other hand they are dropping http in favor of the more secure https.

If you see the scripts Mr. Rodrigez uses to build abrowser you will appreciate how large the configuration modifier is to make the browser more secure; let me share some examples:

// Disable third party cookies
pref("network.cookie.cookieBehavior", 1);
// Privacy & Freedom Issues
// https://webdevelopmentaid.wordpress.com/2013/10/21/customize-privacy-settings-in-mozilla-firefox-part-1-aboutconfig/
// https://panopticlick.eff.org
// https://wiki.mozilla.org/Fingerprinting
pref("privacy.donottrackheader.enabled", true);
pref("privacy.donottrackheader.value", 1);
pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);
pref("browser.safebrowsing.enabled", false);
pref("browser.safebrowsing.malware.enabled", false);
pref("services.sync.privacyURL", "http://trisquel.info/en/legal");
pref("social.enabled", false);
pref("social.remote-install.enabled", false);
pref("datareporting.healthreport.uploadEnabled", false);
pref("social.toast-notifications.enabled", false);
pref("datareporting.healthreport.uploadEnabled", false);
pref("datareporting.healthreport.service.enabled", false);
pref("browser.slowStartup.notificationDisabled", true);
pref("network.http.sendRefererHeader", 2);
//Disable heartbeat
pref("browser.selfsupport.url", "");

// Disable plugin installer
pref("plugins.hide_infobar_for_missing_plugin", true);
pref("plugins.hide_infobar_for_outdated_plugin", true);
pref("plugins.notifyMissingFlash", false);

And that is just a sample.

I don't know what is happening in Mozilla but doesn't seem good.

Mangy Dog

I am a member!

I am a translator!

Hors ligne
A rejoint: 03/15/2015

In the hands of Big Co interests?

as rtechie wrote :

As someone who does a lot of work with PKI, I think this is an extremely bad idea.

Making HTTPS mandatory will seriously degrade the security of existing web sites.

Right now, the main problems with SSL/TLS have to do with bad actions by root Certificate Authorities (like China’s CA) issuing inappropriate or questionable certificates.

You’re assuming that site operators, and more importantly users, are going to use HTTPS intelligently and appropriately and that’s a bad assumption.

Forcing every single site to use HTTPS means that unless that site has a root CA cert, users will get a browser error. And we’ve “trained” users to avoid sites with browser errors. This will create a “gold rush” with the root CAs as lots of smaller sites start requesting certs. This will inevitably lead to more bad certs being issued.

And there will be a LOT more questionable certs issued.

Because you intend to block features behind HTTPS, you’re making it impossible to TEST using HTTP, so every single internal, QA, or test site needs a cert. Sure, they can use self-signed, but users will get a browser error. So now either that organization has to run their own CA or get more certs from the root CAs, which is a lot easier. That’s going to be a flood of cert requests on the CAs.

I really need to stress what a problem it is that you’re requiring certs for all internal web sites.

And what about intranet sites in general? Have you guys developed a better method, of any kind, for distributing enterprise root certs around? Right now, I have to manually install them on every PC. Now you’re saying I have to do that no matter what.

The short version is that the core problem with HTTPS right now is that it’s too popular. Making HTTPS mandatory will further degrade it’s utility and put serious and important uses of HTTPS, like financial transactions, in danger.

tomlukeywood
Hors ligne
A rejoint: 12/05/2014

as pepole tend not to visit your site when a scary:
"this connection is not trusted message" comes up

dose anyone know of a way to register your https certificate gratis or cheap?
the lowest i found was £40 a year :(

Legimet
Hors ligne
A rejoint: 12/10/2013

Let's Encrypt is coming soon: https://letsencrypt.org/

Mangy Dog

I am a member!

I am a translator!

Hors ligne
A rejoint: 03/15/2015

http://arstechnica.com/security/2009/12/20/how-to-get-set-with-a-secure-sertificate-for-free/

quote:
You can sign your own digital certificates, essentially acting as your own certificate authority, but that's a problem. Because a client and/or OS doesn't know that Tom the cat luckeywoodCA is a real authority, the client or OS has to prompt a user to accept an untrusted relationship. Depending on the process, the user may be able to trust a session or not, or to accept a CA's authority permanently.

http://www.cacert.org/index.php?id=0&lang=en

I tried loggin into CAcert and emmediatly had a browser non Certified connection Alert Cert!
A hosted Wordpress as exemple with OVH here with a SSL Cert it's 49Euros a year for just the Cert
https://www.ovh.com/fr/ssl/

Furthermore most sites if not 98% are HTTP
quote:

"However, the market for SSL certificates, a kind of certificate used for website security, is largely held by a small number of multinational companies"
and that raises a serious ethical issue from my point of view.

https://en.wikipedia.org/wiki/Certificate_authority

CA cert org login!.png
Legimet
Hors ligne
A rejoint: 12/10/2013

I think this is a great idea. Note that Mozilla and EFF are starting Let's Encrypt, so it will be much easier for people to move to HTTPS.

strypey
Hors ligne
A rejoint: 05/14/2015

Let's Encrypt is now live, which is good news, because I just took on a project website coordination role for a small not-for-profit whose website doesn't yet use HTTPS, and I wasn't looking forward to explaining why they should pay regular tithes to some corporation who (like domain registrars) are basically printing money. Ultimately, at the risk of being a blockchain faboy, I think the best solution is to do away with centralized Cert Authorities altogether and replace them with a distributed system, as suggested in this paper:
https://eprint.iacr.org/2013/622.pdf

In the meantime, it would be great if Trisquel/Abrowser included CACert root certificates by default. They are used by a lot of bona fide software freedom organisations including RiseUp.net and Parabola.nu, and having Trisquel/Abrowser flag them as dodgy is not very neighbourly. Unless they are planning to switch to Let's Encrypt, in which case feel free to ignore this suggestion ;)

EDIT: For those who are concerned about unmaintained legacy sites, there's web.archive.org, but anyway:

>> It should be noted that this plan still allows for usage of the “http” URI scheme in legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the “http” scheme can be automatically translated to “https” by the browser, and thus run securely. <<
https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/

lloydsmart

I am a member!

Hors ligne
A rejoint: 12/22/2012

> it would be great if Trisquel/Abrowser included CACert root certificates by default.

Completely agree with this - it's a fantastic idea!