back to article Mozilla to whack HTTP sites with feature-ban stick

Insecure websites will be barred from using new hardware features and could have existing tools revoked, if Mozilla goes ahead with a push towards HTTPS. Webmasters that don't turn on HTTPS could be excluded from the new features list under a Mozilla initiative designed to rid the net of careless clear text gaffes, sending a " …

  1. Russell Hancock

    why, why, why... what is the point?

    I understand that certain content needs to be secure but why all content? Why do my seaches on ebay for parts for my car need to be secure? When I look on auto trader and area about owning an Aston martin, why does that need to be secure? BBC News? Tide times? Weather forecasts?

    Why the hell does any of that need to be secure?

    In the last week I have looked at all the following, please someone explain why they need to be secure...

    Haynes motor museum

    The Register

    BBC News

    BBC iPlayer

    Gig guide

    Weather

    Ebay motors search

    Auto trader

    Tesco

    Ebuyer (did not purchase)

    Amazon prime video

    Opening hours for a couple of local shops

    Why?

    1. Anonymous Coward
      Anonymous Coward

      Re: why, why, why... what is the point?

      Yes, its like putting four sets of gates on your driveway in case someone breaks through the first three.

      It might be useful on rare occasions but it what a nuisance when you want to take your car out.

    2. FF22

      Re: why, why, why... what is the point?

      "Why the hell does any of that need to be secure?"

      The answer is: it doesn't. But Firefox is losing market share fast, and Mozilla is desperate to find something to distinguish Firefox by some means (and with that I mean by _any_ means) from the competition and tries to lake a lead in something (and with that I mean in _anything_) that seems or can be spinned to look somehow positive. This is obviously their ill-fated attempt at that.

    3. Raumkraut

      Re: why, why, why... what is the point?

      Have you ever used an open WiFi access point? On an insecure, shared, WiFi network, it is trivial to modify plain HTTP traffic to serve up porn, ads, or exploits which install malware on computers.

      Do you absolutely trust your ISP? Do you absolutely trust every employee at your ISP? Your ISP can see *everything* you do in plain HTTP. And, like the above WiFi situation, your ISP (and any technical employee thereof) is in the perfect man-in-the-middle position to modify all of your insecure traffic - with or without official blessing of the company.

      Or perhaps you are aware of the recent "Chinese Cannon" attack against GitHub? Did you know that the attack was only possible because people weren't requesting websites securely? Something at the same location as the Great Firewall was modifying plain HTTP traffic passing into/out of China, and adding some javascript to pages; causing unknowing users' browsers to automatically assault GitHub.

      So then tell me: Why should we *not* secure websites?

      1. FF22

        Re: why, why, why... what is the point?

        Too bad you could only give reasons why a website that you're handing over sensitive data should possibly use HTTPS. Too bad you didn't give any compelling reason why ALL websites should be forced to use HTTPS.

        1. Charles 9 Silver badge

          Re: why, why, why... what is the point?

          "Too bad you could only give reasons why a website that you're handing over sensitive data should possibly use HTTPS. Too bad you didn't give any compelling reason why ALL websites should be forced to use HTTPS."

          I thought we pointed out that ANY unencrypted communications can be MITM'd and altered to whatever ends (like Verizon's customer tags or the Chinese Cannon). At least with an encrypted channel like SSL/TLS (which HTTPS uses) it's a lot harder to achieve this.

      2. John Lilburne

        Re: why, why, why... what is the point?

        Why should I care about github, or any other website? Let them take care of their own security, why do I have to sponsor them?

        Why should I care about some oik at an ISP watching my browsing of an entomology site, and why should the entomology site need to get an SSL certificate?

        Let eBay, Facebook, Google, Yahoo, Amazon and the banks secure their own fucking businesses and leave the rest of us alone. Seems to me that all of this is to make the poor pay the cost of web security.

      3. Anonymous Coward
        Anonymous Coward

        Re: why, why, why... what is the point? @Raumkraut

        "Have you ever used an open WiFi access point? On an insecure, shared, WiFi network, ...

        Do you absolutely trust your ISP? Do you absolutely trust every employee at your ISP? Your ISP can see *everything* you do in plain HTTP."

        Do you use a telephone? if so what do yo use to effect end-to-end session security?

      4. heyrick Silver badge

        Re: why, why, why... what is the point?

        "Why should we *not* secure websites?"

        Because:

        1. It is a burden for people running smaller websites that don't have logins etc this don't actually need to be "secure". Whether or not this can be hijacked by nefarious people shouldn't be the web site's problem.

        2. Numerous public APs force false certificates at you if you go to https sites - KFC I'm looking at you - which either intentionally breaks or intentionally compromises the basic security expectations.

        3. Remind me - where is the mechanism to prove that site X is really site X? We are mostly stuck with taking somebody else's word for it...

      5. Michael Wojcik Silver badge

        Re: why, why, why... what is the point?

        Why should we *not* secure websites?

        Because it's a terrible waste of resources. It burns CPU cycles, bloats network messages, and interferes with some forms of caching and compression (e.g. by transparent gateways). Because it's a stupid attempt at security-by-fiat which imposes the same threat model on every use. It's cargo-cult programming.

    4. Anonymous Coward
      Anonymous Coward

      Re: why, why, why... what is the point?

      Because in the year 2022, UKIP have had a landslide victory in the UK elections and have taken control of the government. However some of the more right wing elements have wrestled control from the moderate Nigel Farage and start ejecting all immigrants who have been in the country for less than 5 years. Due to the serious effects to the IT, healthcare and other industries there is a growing resistance with ordinary people who have not been reading Katie Hopkins' Sun column and are therefore not yet brainwashed.

      The new MI9 force starts tracking down these immigrant sympathisers who have fallen foul to the new non-patriot act and using their, once innocent, browsing history start rounding up those who have been looking at sites which are pro-immigration, such as the BBC, Tesco, Haynes Motor Museum and certain titles on Netflix.

      Luckily all this information had been stored and retained by GCHQ since 2015 and thanks to the fact thet The Register didn't used HTTPS for their login, e-mail addresses were easily gathered along with non-patriotic posts even by anonymous users.

      1. P. Lee Silver badge

        Re: why, why, why... what is the point?

        Actually, I'm not ashamed of my views and I see no reason to hide them from the powers that be. Actually, I'd be rather chuffed if they deigned to read them. Who knows, I may convince someone not to do the wrong thing.

        Of course, they could read them anyway, by clicking on the "comments" section of the articles. They'd just have to check the server logs and pair them up to my static IP or DHCP lease log to find out where I lived. HTTPS doesn't negate oppressive government. They might try some blackmail, but you don't need real data for that, just a scurrilous accusation in a tabloid.

        I'd rather have caching than privacy for most of my browsing. Now if I wanted to push people to CDNs and the cloud, I might want caching to go the way of the dodo.

        If you want to stop oppressive government you have to get the building of the massive snooping infrastructures reversed; you have to stop the circumvention of the spirit of due process and you have to get loose and dangerously phrased laws repealed. HTTPS is small fry, it complicates troubleshooting and is often simply not required.

      2. Brewster's Angle Grinder Silver badge

        Re: why, why, why... what is the point?

        "The new MI9 force starts tracking down these immigrant sympathisers who have fallen foul to the new non-patriot act and using their, once innocent, browsing history start rounding up those who have been looking at sites which are pro-immigration, such as the BBC, Tesco, Haynes Motor Museum..."

        They still know that, unless you encrypt your DNS lookups.

      3. Andrew Meredith

        Re: why, why, why... what is the point?

        "Because in the year 2022, UKIP have had a landslide victory in the UK elections and have taken control of the government"

        Oh for goodness sake. I am still amazed by the number of supposedly intelligent people that have fallen for the Lab/Green/SNP/PlaidC bulldust about UKIP. They don't like UKIP because they want to stay on track to their Marxist "utopia" The People Republic of EUland. But they won't admit that in public.

        UKIP are against "open door, uncontrolled, undocumented Immigration" ... which is freely translated from the plain English into "UKIP hate all non-whites and will gun down all immigrants". If you can't see the disconnect there then Gawd help you. Go ahead and vote away your future rights to vote on anything substantive after the REAL threat comes to final fruition in Brussels.

    5. John H Woods Silver badge

      Re: why, why, why... what is the point?

      You'd better read (a) the news and (b) some history books.

      If you think your news browsing, video watching, Register-posting habits -- or even your musical tastes -- do not let The Powers That Be characterise you pretty fully, you need to think again. The Powers That Be, here in "The West", of course, are reasonably benign (to what degree is a matter of discussion) at the moment; but there is absolutely no reason to assume they will stay that way, wherever you place them on the malignity spectrum at the moment.

    6. Charles 9 Silver badge

      Re: why, why, why... what is the point?

      "Why the hell does any of that need to be secure?"

      It's WAY TOO EASY for someone in the chain to perform a Man-In-The-Middle attack on you, and before you say the information you serve isn't important, that wouldn't matter if it's the CONNECTION they want to hijack (which they would for something like a malware injection).

      Then think about ISPs like Verizon that (whether you want them to or not) inject unique session cookies into all your web traffic that ad agencies can use to identify you. You'd have to think the practice will eventually become universal, leaving the only alternative to bail out of the 'Net altogether.

      Put it this way. Do you leave your doors unlocked? That's what the HTTPS Everywhere approach represents.

      1. Anonymous Coward
        Anonymous Coward

        Re: why, why, why... what is the point?

        Put it this way. Do you leave your doors unlocked?

        Yes!

        But then I don't live in an inner city and also don't live in a perpetual state of paranoia thinking it is normal!

        1. Anonymous Coward
          Anonymous Coward

          Re: why, why, why... what is the point?

          "But then I don't live in an inner city and also don't live in a perpetual state of paranoia thinking it is normal!"

          Great, wouldn't want you to be paranoid. Hell if it doesn't matter, could you just let us know where you live and what time your house is normally empty?

          You don't need to be paranoid, no one reading this is likely to live close to you and be of the thieving sort, so no harm eh?

          1. big_D Silver badge

            Re: why, why, why... what is the point?

            "But then I don't live in an inner city and also don't live in a perpetual state of paranoia thinking it is normal!"

            Great, wouldn't want you to be paranoid. Hell if it doesn't matter, could you just let us know where you live and what time your house is normally empty?

            I have a friend who used to leave his garage unlocked and the keys to his bikes in the ignition, with the comment: "if you are in the area and want to go for a ride, just take a bike, just remember, you bend it, you mend it."

            He never used to lock his patio door either.

            He never had any problems.

            On occasions I've forgotten to lock my car doors - one time, when I was still in the UK, I got home at 11 in the evening from work and my neighbour knocked on the door at 10 the next morning to let me know the windows were still open... My coat, briefcase, CD player and CDs were all still in the car - that was in Southampton - although speaking to my old neighbours a couple of years back, they daren't leave the cars on the street at night any more, let alone leave them unlocked!

            In Birmingham, I left the car in a carpark under the Holiday Inn on Monday morning. As I picked it up on Friday evening, it was unlocked - but nothing was missing.

            I tend to lock the car, but there are times I forget. The only time somebody broke in was when I was a kid and despite the door being unlocked, they used my father's golf clubs to smash the window, then made off on my kiddy bike!

            The same for a friend, he had a Spitfire and was always worried somebody could cut open the roof, so he left the doors unlocked, so that if somebody wanted to steal the radio, they didn't have to cut open the roof... They cut open the roof anyway [LIFTED] idiots!

            1. Permidion

              Re: why, why, why... what is the point?

              playing russian roulette, most of the time you are safe, but just once ...

            2. Anonymous Coward
              Anonymous Coward

              Re: why, why, why... what is the point?

              "I have a friend who used to leave his garage unlocked and the keys to his bikes in the ignition, with the comment: "if you are in the area and want to go for a ride, just take a bike, just remember, you bend it, you mend it."

              He never used to lock his patio door either.

              He never had any problems."

              Before the days when you were legally required to keep a record of who has driven your motor vehicle in the last 14 days, I take it?

              Try that today and you're legally liable for any and all speeding tickets.

              1. John Brown (no body) Silver badge

                Re: why, why, why... what is the point?

                "Before the days when you were legally required to keep a record of who has driven your motor vehicle in the last 14 days, I take it?"

                Eh? What? Since when?

                Are we talking UK here? Is this one of the 10's of 1000's of new laws and statutory instruments enacted over the last 18 or so years? (I suspect that alone might be an argument in court to defeat the "ignorance of the law is no excuse" thing.)

                1. Anonymous Coward
                  Anonymous Coward

                  Re: why, why, why... what is the point?

                  @John Brown

                  Since they changed the rules for speeding tickets. If a fixed camera issues you with a speeding ticket then they have to get the ticket to you within 14 days but assuming they do then you're expected by law to know who was driving at the time of the offence.

                  It's intended to close the loophole that got a lot of people off on speeding tickets because the police couldn't identify who was driving from the camera photo. If you can't prove who did the crime you can't prosecute.

                  Now, if you get a speeding ticket, you will notice new references that say that if you can't identify the driver then the owner is liable.

                  See point 1

                  1. John Brown (no body) Silver badge

                    Re: why, why, why... what is the point?

                    "Since they changed the rules for speeding tickets. If a fixed camera issues you with a speeding ticket then they have to get the ticket to you within 14 days but assuming they do then you're expected by law to know who was driving at the time of the offence."

                    Thanks, I didn't know about that. It all sounds like something Blair introduced as a statutory instrument at the behest of ACPO.

              2. big_D Silver badge

                Re: why, why, why... what is the point?

                @Mycho

                Before the days when you were legally required to keep a record of who has driven your motor vehicle in the last 14 days, I take it?

                Try that today and you're legally liable for any and all speeding tickets.

                No such requirement here, and if you cannot be clearly identified on the photo (assuming it wasn't an actual pullover), then you can generally not be prosecuted. Companies have to have a log book for all company vehicles that aren't driven by one person.

                1. SImon Hobson Silver badge

                  Re: why, why, why... what is the point?

                  >> Try that today and you're legally liable for any and all speeding tickets.

                  > No such requirement here, and if you cannot be clearly identified on the photo (assuming it wasn't an actual pullover), then you can generally not be prosecuted.

                  Don't know where you are, but in England (probably England and Wales, dunno about Scotland and NI) the registered keeper can certainly be prosecuted as a result of speeding by someone else. The first thing that happens is a form is sent to the registered keeper asking who the driver was at the time. If you cannot or will not identify the driver then you as the registered keeper **WILL** be prosecuted - not for the speeding offence, but for failing to identify the driver. The penalty is the same, so as pointed out, it's to remove the loophole where failing to identify the driver gets someone off a speeding charge.

                  I know people who have been on the receiving end of this.

          2. This post has been deleted by its author

    7. streaky

      Re: why, why, why... what is the point?

      Simply: because your ebay searches being encrypted makes your bank transactions more secure.

      Also not for nothing but what you read on BBC news, what (and that/where) you buy at Tesco and what cars you're looking at can build a geographical, psychological and (frankly) political profile of you - and also be used by criminals to figure out when you've buggered off out to do your shopping, or target whatever car you're buying for theft.

      And last but not least there's not good reason not to encrypt all your data. You say why - I say why the hell not, it's a zero-cost solution to a pervasive problem. It doesn't have to be governments, but they can be part of the problem. Just accept crypto into your heart and get back on with your life.

      1. Anonymous Coward
        Happy

        Re: why, why, why... what is the point?

        It is not zero cost as any sysadmin, network engineer, or infrastructure provider will tell you right off. The question remains cost-benefit analysis. I won't even try. I know all the factors, it's the weighting of them that is at question. My situation is so bizarre that I'm a complete outlier. Up to y'all but I'll jump in with corrections natch.

      2. Anonymous Coward
        Anonymous Coward

        Re: why, why, why... what is the point?

        And last but not least there's not good reason not to encrypt all your data.

        So for my "website under construction" holding page, I need to implement encryption? Likewise for the pages that get displayed when a website is busy (doesn't happen so often these days with flexible cloud provisioning) or offline for maintenance/update?

        There is much that needs to be thought through on this proposal...

    8. Anonymous Coward
      Anonymous Coward

      Re: why, why, why... what is the point?

      The reason why this is a bad idea is that it upper the entry barrier to having a web presence. Most certificates aren't free, and the skills required to set it up are not necessarily within reach of the most basic providers or admins.

      Not a problem for the web giants or even for most website owners in the developed world. However, it does put up a significant barrier to those whose voices need to be heard the most.

      Which is why I cannot support this idea, at least not unless Mozilla dig into their deep pockets to set up a non-profit, free for the user, certificate authority.

      1. Mark #255

        Re: why, why, why... what is the point?

        Which is why I cannot support this idea, at least not unless Mozilla dig into their deep pockets to set up a non-profit, free for the user, certificate authority.

        I'm afraid then, Mr/Ms Coward, you'll have to wait until last November before you can strike that off your list of demands reasons why you cannot support this idea.

        1. Michael Thibault

          Re: why, why, why... what is the point?

          Also,

          https://letsencrypt.org/

          Can't arrive too soon.

      2. Vic

        Re: why, why, why... what is the point?

        Most certificates aren't free, and the skills required to set it up are not necessarily within reach of the most basic providers or admins.

        Seriously?

        If an admin can't set up an SSL certificate, he shouldn't be an admin. It's incredibly simple...

        Vic.

    9. thames

      Re: why, why, why... what is the point?

      @Russell Hancock - "In the last week I have looked at all the following, please someone explain why they need to be secure.."

      Most of those sites you listed will be going to http/2 anyway, which is encrypted by default and has no unencrypted mode. They'll be going to it because it will give them better performance, use less bandwidth, and work better with mobile. Tests so far have shown http/2 with encryption to be faster than regular http without encryption. Chrome and Firefox already support it, and the other browser vendors will be following suit if they haven't already.

      Mozilla's proposal is for what to do about sites that don't change to http/2 because they don't want to change anything. Their proposal is that those sites will continue to work as is for the foreseeable future, they just won't be able to access new browser features. Since those site operators who claim they don't want to change anything won't be accessing new features anyway, then they've really nothing to complain about, do they?

      The only people who will be affected are those who want to use the latest bleeding edge web technologies, but don't want to do it over http/2 or encrypted http.

    10. -tim
      Black Helicopters

      Re: why, why, why... what is the point?

      Why is simple, it allows the cert issuers to snoop on metadata. While there are ways to do certificate revocation that don't ask the CA everytime you talk to your bank, they aren't well supported. That meta data links your computer to the remote site and typically provides enough data to figure out what pages you went to with absolute certainty just by using the the netflow data (which your ISP is already collecting) combined with the CA's data. Oddly enough you can't do that with http without looking inside the packets. There is no plausible deniability with https as there are records it came from your computer, not your network.

      Remember that all major CAs were founded by spooks. Some of them are much better at their jobs than most of the "security experts" on the net.

    11. ManxPower

      Re: why, why, why... what is the point?

      If you only secure data you want to keep secret, then you are telling the bad guys exactly which data they should concentrate on. If you secure all data, then the bad guys will waste resources trying to decrypt your cat videos or e-mail to your grandmother. Most people won't stop using their debit cards, cell phones, etc to protect their privacy because it is too inconvenient . Using HTTPS when possible is one of the easiest ways to protect your privacy with very little hassle.

  2. FF22

    Action. Counteraction.

    Firefox relegates web sites that do not use HTTPS. Users relegate Firefox to the also-ran category.

    Also, please don't try to draw an equal sign between "insecure websites" and "HTTP only". As site isn't necessarily insecure by any means, if it uses HTTP only, and surely isn't secure just because it uses HTTPS. Security is far a more complex issue than it could be reduced to HTTP vs HTTPS.

    1. Thought About IT

      Re: Action. Counteraction.

      Before even thinking about this, Mozilla ought to fix Firefox so that it can communicate through a non-standard port with a secure server (ie. not supporting SSLv3), rather than giving up with "Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)"! As it is, I have to resort to using IE to configure WHM/cPanel.

    2. big_D Silver badge

      Re: Action. Counteraction.

      This is just copy-catting, Google are trying to push sites to do this with Chrome as well... And Google are flagging up valid Certs using SHA1 as insecure - unless they come from Google...

      1. streaky

        Re: Action. Counteraction.

        unless they come from Google

        Faulty assertion made on the assumption that Google isn't going to change their certs. Protip: they are.

        1. big_D Silver badge

          Re: Action. Counteraction.

          @streaky yes, they will change them, but they haven't yet, even though they are flagging non-Google properties already as insecure.

    3. thames

      Re: Action. Counteraction.

      @FF22 - Firefox relegates web sites that do not use HTTPS. Users relegate Firefox to the also-ran category.

      Planning on browsing the web with telnet then? Google has already announced their own plans to achieve the same result. The other vendors will do the same if they haven't announced plans already. If anything, Mozilla are taking a much softer line on this than Google are. They're not working alone on this, as companies such as Cisco and Akamai are in it with them. The IETF, IAB, and W3C want some sort of solution, and even the US government is pushing vendors to come with something.

      Mozilla will be making a proposal to the W3C. The browser vendors and various other interests will kick the idea around and come up with a common plan and schedule so that site owners will know what they need to do. Under Mozilla's proposal, existing sites will continue to work as is. It's when they want to access new features (e.g. getting access to your web cam) that they will need to do so through encrypted means (Firefox already requires this for some features).

      The very first question in Mozilla's FAQ is "Q. Does this mean my unencrypted site will stop working?" Their answer is "Not for a long time" (they're talking to other companies about a joint plan for what to do over the long term).

      So oh mighty ruler of the Internet, it appears you're panicking for no reason.

  3. Will Godfrey Silver badge
    Thumb Down

    Eeejits!

    My own website is a very simple affair. No javascript and no flash, just a bit of css and some ordinary links. If that suffers, then it looks like I'll need to change my front page... Advising people not to use Firefox.

    1. Anonymous Coward
      Anonymous Coward

      Re: Eeejits!

      More to the point, it just isn't worth the expense of a trusted certificate for the sort of sites I run.

      Yes, I'd like some security when providing my login details… a self-signed certificate is "good enough", provided people are smart enough to look beyond the warning messages and do a few basic checks.

      I've looked into getting a certificate. The free ones are either trials (30~90 days) or have limitations like no subdomains (i.e. you must own the domain). I run my sites on a free subdomain simply because the site is not revenue raising. I'm not prepared to pay AU$30/year just to have a site on the 'net.

      1. Anonymous Coward
        Anonymous Coward

        Re: Eeejits!

        More to the point, it just isn't worth the expense of a trusted certificate for the sort of sites I run.

        Expense? How expensive is free?

        1. Dan 55 Silver badge

          Re: Eeejits!

          The article says that sites using opportunistic encryption will also get all the features and a self-signed certificate will not set off alarms if opportunistic encryption is used.

        2. Anonymous Coward
          Anonymous Coward

          Re: Eeejits!

          More to the point, it just isn't worth the expense of a trusted certificate for the sort of sites I run.

          Expense? How expensive is free?

          Show me the form where I upload the .crl file to retrieve a signed .crt and I'll believe you. Does this new fangled automatic CA have keys trusted by the common web browsers? Firefox is likely, but how about Chrome, IE, Safari?

          All I can see is "Arriving Mid-2015"… maybe you've got keys to a DeLorian, I do not.

          1. Anonymous Coward
            Anonymous Coward

            Re: Eeejits!

            "Does this new fangled automatic CA have keys trusted by the common web browsers? Firefox is likely, but how about Chrome, IE, Safari?"

            Apparently it will, that is a good link and will be a valuable resource once it launches, thanks Mr Coat. I currently have an army of self-signed certs signed by my own CA that is trusted across my machines by GPO and I pay for certs for any public facing stuff, so this will be a welcome service and will definitely save me some costs.

            Especially good because all my stuff is for geek fun, none of it makes any money.

          2. Jamie Jones Silver badge

            Re: Eeejits!

            All I can see is "Arriving Mid-2015"… maybe you've got keys to a DeLorian, I do not.

            No DeLorian needed. The site will be ready before this proposal goes through...

      2. Anonymous Coward
        Anonymous Coward

        Re: Eeejits!

        "do a few basic checks"

        What are these few basic checks that can make a self-signed certificate trustworthy and give full confidence to all your visitors?

        1. Tomato42
          Boffin

          Re: Eeejits!

          "What are these few basic checks that can make a self-signed certificate trustworthy and give full confidence to all your visitors?"

          Those are the same checks that regular certificates from "big names" do - check if the email comes from webmaster@site.com or admin@site.com or that you can place a file with specific content on the server. All domain validated certificates require you to have control over that only.

          The certificate doesn't mean that the content is trustworthy or that the content comes from a given entity (unless it's a green-bar-enabling EV certificate). It just says that the same people that controlled the domain at some past time are the ones that are controlling the connection you are doing right now.

      3. Anonymous Coward
        Anonymous Coward

        Re: Eeejits!

        A lot of hosts just give them away for free, and yes, I mean proper long-lived trusted certs. Also: the lets encrypt thing probably will be the real deal, there's a lot of red tape for CAs, give it time. Actually if you're using cloudflare today even as a free users you probably have something very like it running on your site.

    2. thames

      Re: Eeejits!

      @Will Godfrey - "My own website is a very simple affair. No javascript and no flash, just a bit of css and some ordinary links."

      Well it won't be affected by this proposal then, will it?

  4. Buzzword

    Backing the wrong horse

    But we know HTTPS is flawed: the certificate authorities can't be trusted. By all means encourage website owners to improve their security and/or privacy, but not like this.

    1. Charles 9 Silver badge

      Re: Backing the wrong horse

      Got any better ideas, then? Guaranteed any other method you can think up can be subverted just as easily by a resourceful adversary. That includes the Web of Trust.

      Anyway, we're not thinking in terms of state adversaries but protecting against alteration mid-transmission, as Verizon and the Chinese Cannon have demonstrated.

  5. Pomgolian
    FAIL

    >Mozilla, whose Firefox is used by a quarter of net surfers,

    Yeah, right, they'd like to think so, but it's more like half that and dropping every month.

    I can just imagine the response from the customer base when asked to stump up for an SSL certificate and my time to manage it all. Firefox support will get dropped faster than you can say "chrome".

    Jog on, Firefox.

    1. Dan 55 Silver badge

      Now if you're telling me you can't flip the switch for opportunistic encryption and set up a self-signed certificate then perhaps your customer base isn't in very good hands.

      What is this fascination with Chrome by the way? It's a Google data slurper with a very uncustomisable and moderately ugly UI. They've also dropped NPAPI support and XP support is on life support so it's not as if Chrome users are immune from the slings and arrows of outrageous developers. And as it's free with everything else then it inevitably becomes the default browser foisted upon unknowing users by the time that an Adobe viewer, Java, or the anti-virus is updated.

    2. Anonymous Coward
      Anonymous Coward

      I have about 30,000 users on my site, about 10% use firefox and dropping.

  6. Frank Zuiderduin

    Bye, bye, Mozilla

    They're really desperate to kill off their browser, aren't they?

    As others have already stated, enforcing https for everything is rediculous. I wonder if the dickheads at Mozilla really expect Joe Webpresence to fork out extra funds to buy a fixed IP. Those are getting really expensive these days and you really need one for proper https. And don't start about IPv6. IPv4 is going to be around a long time yet.

    1. Tom Chiverton 1

      Re: Bye, bye, Mozilla

      Eh? You've not needed a dedicated IP for SSL since SNI was invented about 10 years ago.

      1. Stuart 22

        Re: Bye, bye, Mozilla

        "Eh? You've not needed a dedicated IP for SSL since SNI was invented about 10 years ago"

        Except SNI will not work with IE8 and below on XP or less. Sadly they still form around 25% of our web traffic so we can't afford to lose/upset them. So most of our sites stay on http. What we need is an IE<9 killer. Or just an IE killer ;-)

        1. Anonymous Coward
          Anonymous Coward

          Re: Bye, bye, Mozilla

          "Except SNI will not work with IE8 and below on XP or less. Sadly they still form around 25% of our web traffic so we can't afford to lose/upset them. So most of our sites stay on http. What we need is an IE<9 killer. Or just an IE killer ;-)"

          If your site's really all that, the customers will be willing to download a free alternative. Odds are many are simply on cruise control and will be willing to jump when they finally see the roadblock. That's how I got off IE many years ago. If they're willing to defect from you rather than switch from an outdated browser, perhaps something's wrong on your end.

          1. Paul Crawford Silver badge

            Re: Bye, bye, Mozilla

            "customers will be willing to download a free alternative"

            Try telling that to the Gov, NHS, etc, who have their balls in IE's vice...

            1. illiad

              Re: Bye, bye, Mozilla

              "Try telling that to the Gov, NHS, etc, who have their balls in IE's vice..."

              they will just say "wassat??? its not MS... the new IE is lovely..{{baaaa, baaaa....}}"

            2. Charles 9 Silver badge

              Re: Bye, bye, Mozilla

              WHAT vice? It's not like "There ain't room enough in this computer for the two of us," is it?

              1. Paul Crawford Silver badge

                Re: @Charles 9

                The issue has nothing to do with disk space (usually) but everything to do with the mindset of your typical large system IT department where if it can't be locked down by AD policies, it ain't going on their machines.

                It is not that daft a rule, as typically they want to be able to control trust certificates and proxy settings, etc, as well as controlling what sort of plugins are permitted.

                If Mozilla really do want to be relevant and get a bigger share of the corporate world they ought to make their web browser and email clients much easier to administer remotely using Windows practice and ideally something for Mac/Linux as well.

                Stop copying the dumbed down Chrome UI and its policy of changing stuff every month or two, as that just pisses of people who have to manage and train non-technical staff.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: @Charles 9

                  "If Mozilla really do want to be relevant and get a bigger share of the corporate world they ought to make their web browser and email clients much easier to administer remotely using Windows practice and ideally something for Mac/Linux as well."

                  Ever thought Mozilla isn't being allowed to conform to Windows practice with Microsoft wanting IE to be the dominant browser AND wanting people to leave XP for 7, 8, or X? IOW, Mozilla can counter, "We'd give them away but Microsoft won't let us." And given Microsoft's buddy system, good luck actually making a case about this kind of behavior.

        2. Dan 55 Silver badge

          Re: Bye, bye, Mozilla

          IE doesn't understand opportunistic encryption, Firefox does. With OE you can use self-signed certificates which don't cost a penny and don't throw up errors with OE. Therefore Firefox and other browsers with OE will get an encrypted non-authenticated session and IE will carry on as before.

      2. Anonymous Coward
        Anonymous Coward

        Re: Bye, bye, Mozilla

        But not well supported. Even the default browser on my my two year old Android phone doesn't support SNI.

  7. John Robson Silver badge

    When I can self sign and provide the public key by DNSSEC...

    then this is fine, assuming we don't ever want anyone who doesn't have a fast connection to be able to cache the data...

    1. Charles 9 Silver badge

      Re: When I can self sign and provide the public key by DNSSEC...

      Dynamically-served data by nature can't be cached anyway. As for static data, perhaps a new convention will be to request a page's hash first (which can be done by a server as a page is uploaded--only needs to be done once per update) to compare against the local copy. If the hashes match, you don't need to get the whole page. If no match or no hash, you just proceed as you normally would.

      1. John Robson Silver badge

        Re: When I can self sign and provide the public key by DNSSEC...

        Only works on a per machine cache, no help to ISPs, companies, multiuser households....

        Can't you already ask for "last updated" anyway?

        1. Anonymous Coward
          Anonymous Coward

          Re: When I can self sign and provide the public key by DNSSEC...

          Per-client cache should suffice since it would still reduce repeat traffic significantly if not as much as an ISP cache (BTW, I prefer the hash to the last updated--the latter can be faked, we haven't seen a successful preimage attack using current algorithms). The corporate cache would still be in effect since they can implement a secure-transport proxy. Big downloads would just need to be negotiated between household members, which already occurs with low data caps. Web pages and graphics may be hit multiple times, but are they really that significant these days? As for stuff like Netflix, that's considered dynamic content anyway due to the per-user authentication, so fixing that's up to Netflix and the ISP. Besides, I wouldn't want to trust the ISP with caching content anyway. They could inject stuff into the stream. Go to the source; it's the best way to be sure. And if the source is compromise, you're screwed no matter what.

          1. John Robson Silver badge

            Re: When I can self sign and provide the public key by DNSSEC...

            Thinking about - what we need is an HTTPA protocol - authenticated, rather than secure.

            So it can be sniffed and cached, but not altered (or the hash would change) - based on a DNSSEC or HTTPS transfer of the hash maybe?

            1. Charles 9 Silver badge

              Re: When I can self sign and provide the public key by DNSSEC...

              No, it can't be sniffed or they'd be able to break or alter the hash to make it look legitimate. Like with SSH, you need the whole conversation to be sniff-resistant or someone can find a way to inject into the session. IOW, an authenticated connection can't easily stay authenticated if stuff is transmitted in the clear.

              1. John Robson Silver badge

                Re: When I can self sign and provide the public key by DNSSEC...

                The hash is transported over a secure connection (DNSSEC or HTTPS) - so that can't be altered. The content can still be cached however, since it isn't secret.

                This is the difficulty, we have lost the difference between authentication and secrecy.

                Downloading a web page (for instance a government policy document) doesn't require secrecy, although autentication is important. A hash could be pushed over DNSSEC very easily, allowing the actual document to be obtained from a cache or anywhere else - and still be authenticated.

  8. Anonymous Coward
    Anonymous Coward

    Too costly

    But a certificate can cost as much as a website. This makes secure website unaffordable, until https://letsencrypt.org/ appears.

    1. Anonymous Coward
      Anonymous Coward

      Re: Too costly

      Yes, because at $5 per year for an SSL cert your $4 per year website will be unaffordable. It will mean shutting down you website as it is no longer viable.

      1. Anonymous Coward
        Anonymous Coward

        Re: Too costly

        Yes, because at $5 per year for an SSL cert your $4 per year website will be unaffordable

        Two questions:

        - where can you get an SSL cert with a root that's already in all browsers for $5?

        - why would I trust that, because it's unlikely to be subject to much testing?

        Overall question: WTF? Honestly, what do the Mozilla guys smoke? Where does this urge come from to ram decisions down everyone's throat without as much as a consultation? Were they joined by Microsoft?

        If you want to protect the web, fine - but it's the decision of those that publish in which way they do that. What you COULD do is come up with a scheme that makes it easier for a website to go SSL when the customer asks for it (could be a nice use of the do-not-track flag which presently is only used to send you ads about crypto gear), but the use of SSL creates resource overhead and is impossible to cache. Where it *could* make sense is when user input is asked, but here too remains the fact that you don't always need it.

        If you really want to do something about surveillance you should start asking questions about the lack of accountability of those that do this, but that means engaging in politics which risks upsetting sponsors. Ah, no, better back to your safe coding environment.

        1. Anonymous Coward
          Anonymous Coward

          Re: Too costly

          - where can you get an SSL cert with a root that's already in all browsers for $5?

          - why would I trust that, because it's unlikely to be subject to much testing?

          The only mob I know of is StartCom SSL CA… they will give you a free certificate, but there's a catch: they do not permit subdomains or wildcards on their Class I certificates, if you want/need those you need to go to Class II.

          So if you're like me and have a number of websites on a free DNS alias (I use yi.org for mine), you're stuffed.

        2. Anonymous Coward
          Anonymous Coward

          Re: Too costly

          - where can you get an SSL cert with a root that's already in all browsers for $5?

          - why would I trust that, because it's unlikely to be subject to much testing?

          You can get comodo certs from many vendors for that price. Of course it is trusted by most browsers, otherwise it would be pointless.

          "unlikely to be subject to much testing". Eh? it's an SSL cert it doesn't need "much testing". SSL certs are effectively free to generate for the cert company, it's not a massive process for non verified certs.

          As for the multi-domain etc thing. If each of your sites aren't worth $5 per year then you should probably take a step back and wonder how relevant they are to needing to attract the latest Firefox dev features and whether anyone, including your self is likely to miss the site if it didn't exist.

          If your visitors did then set up a donate 1c to help me keep this site alive campaign and with just 500 donators you could raise $5!

          1. Paul Crawford Silver badge
            FAIL

            Re: @an SSL cert it doesn't need "much testing"

            So if no one has checked the person requesting the certificate, How can you trust it? how do you know it was issued to the site that is now signed as being so?

            That is the underlying problem of the whole https system: the certificates are only as secure as the logical-OR of all 600+ authorities who can issue them, and some (or their governments) I would not trust as far as I can comfortably spit out a rat...

            Hence we than have the "certificate pinning" that sort of works on some browsers & sites. And we have Chrome basically ignoring certificate revocation completely (speed matters! WTF do you care if its dodgy?)

            1. Anonymous Coward
              Anonymous Coward

              Re: @an SSL cert it doesn't need "much testing"

              "So if no one has checked the person requesting the certificate, How can you trust it? how do you know it was issued to the site that is now signed as being so?"

              They do basic validation to see that the person requesting it is in control of the domain. You also need access to the server to request a CSR and install the cert.

              If you think it is that easy why not go to a free/cheap registrar and ask for a certificate for theregister.com. Post the CSR and Resulting cert here to verify it was successful and I'm sure you will be recompensed for your efforts through one means or another.

              The extended validation is just proving that a company called "my store" actually exists as a trading entity and that they are running the site mystore.com. This isn't necessary for most situations.

          2. Anonymous Coward
            Anonymous Coward

            Re: Too costly

            If your visitors did then set up a donate 1c to help me keep this site alive campaign and with just 500 donators you could raise $5!

            And at 5c a transaction, that $5 will cost you $25 to collect.

        3. This post has been deleted by its author

        4. b166er

          Re: Too costly

          Erm, GoDaddy are doing SSL certs for £3.99

    2. Jamie Jones Silver badge

      Re: Too costly

      But a certificate can cost as much as a website.

      And a car can cost as much as a house. What's your point?

  9. Ole Juul

    Surely the're something missing in this report

    It just can't be that all those little sites by charities and just regular folk need to use https. I'm pretty sure that the Mozilla folks are more net savvy than that.

  10. Lostintranslation

    No doubt Mozilla will be promoting a bulk-buy SSL cetificate offer in the near future.

    Sadly though, as far as this business is concerned, Firefox has become increasingly difficult to use over the last few months and is near to being consigned to the dustbin. This could be final nail for us.

    1. Tom Chiverton 1

      Didn't Mozilla and Google announce an (free) automatic SSL enabling and renewing project?

  11. Jusme
    Black Helicopters

    Does anyone still believe https is secure?

    Just go look in your browser certificate store and see world+dog being trusted. That's why they had to introduce Extended Validation certificates - for sites that really really (cross-my-heart-and-hope-to-die) want you to think they are secure.

    A false sense of security is worse than no security. On an http site you know anyone could be viewing and tampering with your data. Deal with it. On a plain https site your best bet is to assume the same.

  12. RonWheeler

    Every workplace already snoops HTTPS

    ...with a man in the middle trusted certificate. While it does prove 'something', the mindset of HTTPS being secure is a borderline joke.

    Havn't used Firefox in over a year now anyway. It is simply a confused mess IMO. Swapped to Chromium and no looking back.

    1. Anonymous Coward
      Anonymous Coward

      Re: Every workplace already snoops HTTPS

      So how do you surf the web privately on Chromium without stuff like NoScript, AdBlock, and so on?

  13. illiad

    another reason to DUMP mozilla, and go pale moon...

  14. Tannin

    The Firefox developers have gone totally ga-ga. They have committed more than a few stupidities over the last couple of years, but this is beyond ga-ga and well out there into completely insane. Is there no cure? Someone had better reach for the humane injection. And don't bury the corpse. Burn it to be sure it's not infectious anymore.

    1. Anonymous Coward
      Anonymous Coward

      No, burning will only make it worse if the corpse contains dioxin or some other compound that becomes worse upon combustion.

    2. GrumpenKraut Silver badge

      > The Firefox developers have gone totally ga-ga.

      Yes indeed.

      With several browsers of good quality available, a few "features" that are massively annoying can be enough to drive users away. The Firefox developers appear to be interested in finding what a sufficient value of "few" is.

      Cannot choose icon (using chromium).

      1. Anonymous Coward
        Anonymous Coward

        Thing is, last I checked, their add-on architecture gives them offsetting benefits that none of the competition can duplicate as reliably or as easily. While rough analogues to NoScript, AdBlock, etc. are in the Chromium compendium, most are considered subpar to the original.

  15. bigtimehustler

    I think the idea is crazy, I see why it's done but some content never needs to be encrypted. If I am browsing someones public blog, why should it be encrypted? It's not secret information and is freely available.

    1. Anonymous Coward
      Anonymous Coward

      And conversely, if you don't want spooks sniffing your metadata (say you're reading anti-goverment blogs in China, or merely NSFW at work) then HTTPS isn't enough. Hell, TOR isn't enough unless it's baked into the net so that using it isn't a red flag.

    2. Anonymous Coward
      Anonymous Coward

      re: bigtimehustler

      The problem isn't that we care, or don't care, about what you're browsing. What we care about is that the data that you requested is the data that you actually receive without having been MitM'd by their ISP, the backbone carrier, the [insert evil bastards here], or your ISP. Truly, without a secure connection, you don't know what you're going to receive.

      1. Anonymous Coward
        Anonymous Coward

        Re: re: bigtimehustler

        Put this way, HTTPS in this sense is meant as a form of transport security, not privacy. As a means of ensuring privacy, yes it's substandard, but as a means of making sure the data being passed from A to B isn't being hijacked, then it's about the simplest solution available for now that provides a reasonable basis for authenticity. Sort of like how we replaced Telnet with SSH for the same reason: to prevent the session being intercepted halfway. We're seeing a situation in which NO data coming from the Internet in the clear is really safe anymore, meaning ALL traffic has to be encrypted and authenticated to curtail on-the-fly alteration.

        Seen in such a way, the attitude about cite certificates may necessarily have to be changed to reflect that there is a used for "less authentic" certificates intended more for the lesser purpose of providing a safe communication channel than for authenticating the site itself.

        1. Anonymous Coward
          Anonymous Coward

          Re: re: bigtimehustler

          Agreed, now kindly explain to me why I should serve up the exact same images, stylesheets and lumps of JavaScript to the same user every time they click a https:// link to my blog when the same content would otherwise get cached if served via plain HTTP?

          http gets cached, https does not. I agree that MitM-style attacks such as Great Cannon are a big problem. Yes, we can "fix" it with encryption, but then we break proxies and caches, so the same content has to be requested again and again by the same browser in a session.

          I'd rather see an extension to http/https that just provided signed digests of such blobs. The problem is the browser knowing two things:

          - that a blob it downloads ought to be signed

          - what key that blob should be signed by

          We can't give this information via DNS, because that can be hijacked even easier than HTTP.

          Different port with a specific "protocol" would work; then you're left with the same problem as TLS: trust. If you've never "spoken" to this host before, you've got no way of knowing if this is real or fake. You need a third party to decide (CAs or web-of-trust).

          So not an easy problem… but not impossible to solve either.

          1. Charles 9 Silver badge

            Re: re: bigtimehustler

            "I'd rather see an extension to http/https that just provided signed digests of such blobs. The problem is the browser knowing two things:"

            I made such a proposal earlier. I say make this an extension of HTTPS itself to request a hash/hashes of a page using current best practice algorithms (and allowing for better ones down the road). For static content, these hashes can be computed when they're uploaded (dynamic content by nature can't be cached anyway). Existing caches can be hashed client-side for a quick transition. Anyway, make the request by HTTPS itself to ensure at least a channel mostly safe from MITM (if this can be intercepted, so can the page itself, meaning you're screwed anyway). If the hash provided by HTTPS matches an existing hash, use the cached copy; otherwise, serve it and update the local copy. Simple enough to implement, I think, and it wouldn't have to interfere with the existing spec since it can work on top of it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021