Mozilla returns crypto-signed website packaging spec to sender – yes, it's Google

Re: Can we get Web caching back, please?

This is a common misconception. The worry isn't just that content might be read, but that it might be rewritten in transit. The only (current) way to protect against this is to sign the content with the client's public key, something which is impossible to cache and is handily part of encryption.

Re: Can we get Web caching back, please?

> Most Web pages we consume have zero privacy needs; they come from public Web pages.

> There is really no need for encryption in most of them!

Frankly, I don't think you have a clue. Every insecure page is an access route into a machine.

That login button you just clicked that redirects you to a secure site? Replaced by one to a phishing site.

That page you just loaded? Now it's got malicious Javascript and Flash applets injected into it.

Browsing your favourite news website? Now your ISP or the government has a record of every page you've viewed. Public wifi hotspot? Now everyone else might have a log too.

If you don't see the value of knowing the content you receive, is the content sent by the original site, and only visible to you and the origin, then I would suggest you have a very narrow view of computer security.

Re: Can we get Web caching back, please?

If only there was a network of caching proxies trusted by the page owner installed near the end user with the page owners private key and certs that would deliver content...

Re: Can we get Web caching back, please?

I encrypt everything I can over the internet just to make it harder for anyone and everyone in power to spy on me or anyone else. Not much to hide really (a quiet domesticated life) but not going to make it easy for fscks like Facebook, Lexis Nexis, or any government agency to get data for free that they monetize or weaponize and then use to contribute to the dystopia.

Re: Can we get Web caching back, please?

Clients will still cache pages and objects no matter the transport. Caching on a network is fairly pointless now as the bulk of your data is going to be single-view images and videos anyway (EG, images that change uri based on the person looking at them. Like how a social media site is going to provide a fresh uri for each user viewing the same image)

I do use a decrypting/re-crypting proxy to do content filtering and malware detection, I did do some caching, but I ended up with a less than <1% cache hit percentage, and only saved a piddling amount of bandwidth as the items that were in the cache were tiny icons, 1K css files, and other minuscule files that the client would cache anyway; while it was missing on all the image and video data, which made up like 99% of our traffic.

Re: Can we get Web caching back, please?

Although I installed an HTTPS MITM system in my home servers in order to mitigate the security problems that DoH brings, it occurs to me that this is also useful to deal with the problem that you're citing, too.

Re: Can we get Web caching back, please?

I think I understand where you are coming from. HTTPS can do encryption and/or authentication of the traffic, not of a web page per se. HTTPS does guarantee the source and freshness of the page. HTTP can easily be hijacked with an MITM attack and older or wrong pages inserted in the stream.

That squid you so love: perfect MITM tool. And you do know how many of our routers are entirely hackable. So your DNS query can return an IP address for a server in some other country.

Even if a page is signed, it may be older than the latest version. What will end up happening is that you will have to reinvent something similar to HTTPS to make sure the pages arrive in order from the right server.

Re: Can we get Web caching back, please?

> Then HTTPS-everywhere mania kicked in, and now every single load has to go back to the origin!

Absolute 100% codswallop. Your local browser is more than capable of caching HTTPS resources and will be doing so on every HTTPS site you visit unless that site is explicitly instructing the browser not to.

And to pick up on one other comments made here... Using HTTPS does not prevent a man-in-the-middle from seeing what DOMAINS you're accessing but does prevent them seeing what PAGES within that domain you're reading. That anti-government Facebook page you read - no the MITM can't see that you're accessing that.

Re: Can we get Web caching back, please?

The lack of cachability issue started way before HTTPS became common.

In the late 90's I administered our proxy solution for an enterprise that had ~30k desktops behind it.

Our internet-facing caches (we also had internal ones for corporate intranet sites) had 40GB per server caches. May not sound like much, but we are talking the lat 90's here.

Over that time period we could see a serious degradation to the efficiency of the caches (how much traffic was served from caches vs total internet incoming data).

This was primarily due to the proliferation of 'active' pages. jsp's and asp's and other cgi-based dynamic content. This means each page was dynamically created, on the fly, for each page-load. Many of the pages pulled data from databases and other backing stores and crafted the page on the fly. None of these are cacheable, as most that used these technologies diabled cacheing (in page headers, which can, of course be ignored by your cache, but then, how do you know as the cacheing provider whether it is a valid directive, or bad implementation?). And even if the page was cached, the next time the page was hit the URL would be unique due to the way that the page itself crafted links with unique ids in the URL, therefore each time the page is hit, the URL changes, thus won't match an existing page in the cache. And many of our own websites for public interaction were dynamic themselves, with the webservers doing nothing more than forwarding the requests to active pages that pulled all the content directly from databases.

Sure, HTTPS made this worse, but face it, most of the web these days is dynamic, uncacheable, content. Most static HTML pages out there are usually so small data-wise compared to the real content, the dynamic content, that implementing a cache probably costs more money than the bandwidth costs of those cacheable pages.

And its not just HTTPS or the general migration to an active internet (dynamic page content) issues either, a lot of it is DRM issues. Video bandwidth is a huge % of all data these days, netflix, youtube, etc., and all of those pages are encrypted for DRM, not for user security. Therefore that segment of traffic would be encrypted irrespective of the general move to HTTPS. It's that video traffic that chews up the bandwidth and would be ideally cached - at least for multi-user networks, e.g. corporates, apartment building networks, educational institutions, etc. - but 'piracy', therefore DRM, therefore it is encrypted anyway whether you want HTTPS or not.

Re: Hmmm man in the middle?

Worse: if I know that an older page had a vulnerability but the new one didn't I'd ship you the old one. Since you are trying very hard not to hit the original server, You will get exploited.

Cacheualty

There's quite a lot to address that, going as far back as HTTP/1.1 and the cacheing framework the Web grew up on. Dynamic content and third-party caches is a long-solved problem.

What HTTPS solves is the malicious MITM. The entirely benign cache is a casualty.

Because the motive was mentioned in an earlier story about changing the way Chrome[ium] exposes the API that uBlock Origin et al uses, so it went without saying. GoOgle are trying to reinvent the way client-server works which removes all choice from the client and forces the server elements that aren't GoOgle into a framework that gives GoOgle and a few selected (read monied) providers control of the traffic.

Enjoy the www while you can. The halcyon days are over if this isn't stopped firmly with a clue-by-four, a classic Etherkiller or several cattle prods. The trick is going to be getting the ordinary users to care.

Re: Can't see a single benefit to this.

There is some possible benefits to performance as it turns the whole internet into TOR nodes... For almost every other aspect I agree with you. It removes a number of layers of security and is quite unfriendly to work with.

Re: Not directly related but...

Of course it is. That's why anyone who's remotely serious about distributing executable contents will PGP-sign their packages.

I take it the time you refer to was a more innocent era. Not this century.

And of course, you can't entirely protect dumb users from counterfeits!

Re: Web, the new desktop...

I had to install Word just this week because a client sent a docx with a form to be filled out and returned and LibreOffice didn't support the ActiveX controls in the form.