Mozilla Restricts All New Firefox Features To HTTPS Only (bleepingcomputer.com) 243
An anonymous reader shares a report: In a groundbreaking statement earlier this week, Mozilla announced that all web-based features that will ship with Firefox in the future must be served on over a secure HTTPS connection (a "secure context"). "Effective immediately, all new features that are web-exposed are to be restricted to secure contexts," said Anne van Kesteren, a Mozilla engineer and author of several open web standards. This means that if Firefox will add support for a new standard/feature starting tomorrow, if that standard/feature carries out communications between the browser and an external server, those communications must be carried out via HTTPS or the standard/feature will not work in Firefox. The decision does not affect already existing standards/features, but Mozilla hopes all Firefox features "will be considered on a case-by-case basis," and will slowly move to secure contexts (HTTPS) exclusively in the future.
Correction. (Score:2)
FTFY.
Loyal Firefox user for over a decade now. (Score:5, Insightful)
Re:Loyal Firefox user for over a decade now. (Score:5, Interesting)
...Just... what are they thinking?...
Who knows if they are even thinking at all. The crowd that currently appears to be in charge at Mozilla seems to have a really strange perception of what the Firefox users want, and a strange perception of security. Yesterday I tried to log into the Mozilla site, but I was not allowed to because I would not let Mozilla persistently store tracking data on my PC. I allowed session cookies, but that wasn't good enough for them. Apparently they wanted access to offline web content storage.
Re:Loyal Firefox user for over a decade now. (Score:4, Interesting)
The LAN issue is an interesting one, maybe Firefox should make an exception for the private IP addresses ranges. That would be reasonable. On the other hand, I am all for HTTPS for everything else, even eventually dropping non-SSL support altogether.
Re: (Score:3, Insightful)
The LAN issue is an interesting one, maybe Firefox should make an exception for the private IP addresses ranges.
You do realize, I hope, that "private IP address ranges" are in the eye of the beholder. Yes, there is a standard set, but if I want to treat 123.123.0.0/16 as "private" there is nothing you can do to stop me.
On the other hand, I am all for HTTPS for everything else
Then you are free to run all your websites using HTTPS only. I run several websites, and not a single one of them needs HTTPS for anything. One of those is for one of those awful universities that gets grant money to do research and then keeps the data secret -- by publishing it on an open website for
Cleartext HTTP vulnerable to script injection (Score:5, Insightful)
I run several websites, and not a single one of them needs HTTPS for anything.
How do you assure visitors of the several websites you run that the markup, stylesheets, images, fonts, and possibly scripts on your site have not been modified in transit by an intercepting proxy between your server and the viewer's machine? Comcast, for example, has been shown to inject advertisement scripts into HTML documents delivered through cleartext HTTP.
OMG, a MITM might substitute fake data! How awful!
Thus you answer your own question. It is awful.
Re: (Score:2)
Which is the greater danger, allowing web access in the clear (note that this does not preclude allowing secured access as well) or creating a single point of failure called "Let's Encrypt" such that if it does fail then suddenly the entire world has to start paying money for certificates or finds their sites no longer work properly?
Re: (Score:3)
Not only that, but with Let's Encrypt issuing out certificates so sites can phish, it seems like a good way to avoid all the Paypal and other phishing is to block the Let's Encr
Re: (Score:3)
with Let's Encrypt issuing out certificates so sites can phish, it seems like a good way to avoid all the Paypal and other phishing is to block the Let's Encrypt certificate. (they issued like 14,000 phishing certificates)
Why not go a step further to block the domain registrars that issue out domains so sites can phish?
Re: (Score:2)
Considering all users have been trained to click through all these useless security prompts, add website exceptions, and trust any certificates thrown at them, i would be surprised - shocked even - if an invalid certificate made a user so much as pause as they rabidly
Re: (Score:2)
Via Google Search for comcast injecting javascript [google.com], I found this [github.com], this [xfinity.com], this [ycombinator.com], and this [gizmodo.com].
Re: (Score:2)
If Comast is your ISP, they can MITM you and inject ads regardless of HTTP v HTTPS.
I don't see how. What CA would Comcast use to make the fake certificate for the HTTPS site I'm visiting?
Re: (Score:2)
"private IP address ranges" are in the eye of the beholder.
Somewhat true. I mean if you don't want to be able to connect to parts of China, you can use 123.123.0.0/16, but the IP range is defined as public - and registered under APNIC.
Re: (Score:3)
if I want to treat 123.123.0.0/16 as "private" there is nothing you can do to stop me
And when your routing table has a hiccup, there's nothing to stop your "private" request being sent to Chinese servers.
123.112.0.0 - 123.127.255.255 is owned by China Unicom
Re: (Score:2)
And when your routing table has a hiccup,
Gee, yeah, if I misconfigure my network it won't do what I want it to do. I'm shocked to learn that. Shocked.
I know that block is owned by someone else. That's the point.
Re: (Score:2)
The overhead for SSL is not the encryption. Not on a modern CPU it isn't. Any overhead is due to the extra communication steps to set up the connection. But HTTP 1.1 will do a single handshake and reuse the connection.
"On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10 KB of memory per connection and less than 2% of network overhead. Many people believe that SSL/TLS takes a lot of CPU time and we hope the preceding numbers will help to dispel that." - Ada
Re: (Score:2)
On our production frontend machines, ... Adam Langley, Google
So, if you have a huge compute infrastructure like Google does, SSL isn't much of a problem. Isn't it wonderful that all the websites in the world are run using massive parallel redundant servers like Google does it?
Re: (Score:2)
So, if you have a huge compute infrastructure like Google does, SSL isn't much of a problem.
Modern server CPUs contain AES instructions that make TLS bulk encryption efficient. If the computation cost of TLS were a practical problem, you'd be seeing the problem on your client whenever you browse Slashdot, SoylentNews, YouTube, or any other HTTPS site. Any website that's more than a collection of static documents has data storage, application logic, and presentation layers on the server side, and these probably use significantly more CPU time than TLS does.
Re: (Score:3)
Well Slashdot broke on my dial-up connection when it switched to HTTPS (pages hardly ever fully loaded) as well as a lot of pages suddenly needing reloaded. You depend on the cache a lot more with a 26.4 KBs connection.
Then there is the issue of small timers who want to serve a web page from home, using an old computer and dynamic hostname. Seems like another move to make sure that only large companies can serve content on the internet.
Clients cache HTTPS (Score:3)
The web browser caches resources delivered through HTTPS the same way as resources delivered through cleartext HTTP. The only thing you lose is being able to cache on an intermediate proxy, but that is relevant if you're splitting one dial-up connection among multiple clients.
Then there is the issue of small timers who want to serve a web page from home, using an old computer and dynamic hostname.
File a support ticket with your dynamic DNS provider to request addition to the Public Suffix List [publicsuffix.org]. If a dynamic DNS provider is on the Public Suffix List, Let's Encrypt issues 20 certificates per customer per week instead of 20 per pr [letsencrypt.org]
Re: (Score:2)
Re: (Score:2)
SSL/TLS adds little CPU overhead when your system has hardware accelerated encryption engines to offload the encryption from the CPU
The overhead then becomes a DMA transfer and a kernel context switch.
Or if you're like Twitter (I think, could have be some other big company) you write your own network stack to include the hardware encryption to avoid multiple kernel calls.
Re: (Score:2)
- Doug Beaver, Facebook
Re: (Score:2)
Re: (Score:2)
Man in the middle. It stops the collection of a users plain text communications along the internet.
The data networks from a users browser to the site, service the user expected, not to be collected by some 3rd party, the ISP.
Re: (Score:2)
Re: (Score:2)
If a non-Internet facing Internal website was created the skilled staff can also suggest a browser to use their supported network.
Re: (Score:2)
Among other reasons for TLS, anything accessible over the Internet via non-TLS HTTP can be hijacked for DDoS attacks via the "Great Cannon": https://en.wikipedia.org/wiki/... [wikipedia.org]
system behind reverse proxies do not run https (Score:2)
system behind reverse proxies do not run https in all places
Re: (Score:2)
The question is what domain those embedded boxes are serving. You said yourself, they are never exposed to the internet. So if you *really* need to, you can add a reverse proxy that adds https to the session, with the endpoint being none the wiser. Also if they are never exposed to the internet, using a public CA certificate makes no sense, use a private one deployed to your employee systems. You can control expiry and all that. Or just let the insecure cert roll and use a browser like firefox that wil
Re: (Score:2)
If there's no trusted 3rd party, what is the point of encryption?
Unless you have a certificate or a shared secret, how do you know the party on the other end of the encrypted connection is who you think it is, and not a MITM? You don't, so what was the point?
Re: (Score:2)
Then is non-standard (Score:4, Insightful)
If the Standard call for a feature to work on Both HTTP and HTTPS, and you implement only HTTPS, then is not an standards compliant implementation...
Come on Mozilla Foundation! Those heavy-handed tactics could work when your market share was about 50%, but not anymore...
JM2C, YMMV
Secure Contexts (W3C CR) (Score:2)
If the Standard call for a feature to work on Both HTTP and HTTPS, and you implement only HTTPS, then is not an standards compliant implementation...
Nor does an implementation comply if the browser implements it over cleartext HTTP but the standard specifies that it shall not work over cleartext HTTP. A growing number of web standards specify such, citing things like the W3C Candidate Recommendation "Secure Contexts" [w3.org].
Those heavy-handed tactics could work when your market share was about 50%, but not anymore...
That'd be a good comeback if plurality browser Chrome weren't also doing it [chromium.org].
Re: (Score:2)
Chrome says it is applying this to things like geolocation and encrypted media. Firefox says it applies to CSS color properties. Chrome explicitly ignored these rules on localhost, Firefox didn't.
Re: (Score:2)
Firefox hasn't applied the new approach to anything yet. Neither has Chrome. Chrome will probably follow Firefox's lead here.
Note that Anne's guidelines explicitly make an exception to allow a feature to work in insecure contexts if another major browser (Chrome) is already doing so. Mozilla isn't going to do anything suicidal like stop features from working in Firefox when they work in Chrome.
Re: (Score:2)
The W3C get to define the standards
Is this one [w3.org]?
Re: (Score:2)
The W3C get to define the standards
Is this one [w3.org]?
Specifically this part: 7.4. Restricting Legacy Features [w3.org]
Re: (Score:2)
There are new standards that are specified to only by run from secure contexts. Service Workers is one of them.
Will this stop nosy overreaching gov & corps? (Score:2)
Re: (Score:2)
Police who get ISP logs will be the interesting change.
ISP will have to get some new skills if they want to keep looking over a users communications.
Ad will have to change and become part of a site in some way.
Re: (Score:2)
It makes snooping much more expensive and it makes passive undetectable snooping impossible. To snoop, they have to install software on the user's computer, or the target server, or else get a CA to generate a certificate they can use to MITM the connection. All of these things are expensive to do at scale, and detectable. In the latter case, the bad certificate can be recorded and constitutes proof of the CA's misbehavior; if a rogue CA is found to have misissued a certificate, there are consequences, as
Encryption is the new fad (Score:4, Insightful)
Very little needs to be encrypted or authenticated. Not everything that needs to be encrypted when going through the open internet needs to be encrypted or authenticated when happening on a closed LAN. Encryption isn't for free. SSL certificate management isn't for free. When stepping away from the half of web browser use that happens on the open internet and into the other half that happens on closed networks, it is wasted effort for no benefit.
Re: (Score:2)
Very little needs to be encrypted or authenticated.
Then always use encryption so you don't have to think about whether you "need" it or not.
SSL certificate management isn't for free.
Let's Encrypt helps out here. It's not a huge pain in the ass anymore and doesn't cost users money.
The problem I see here is my router and cable modem web interfaces don't support https. I know as I just tested them. These are fairly new devices too.
Re: (Score:2)
DNS registries and registrars (Score:3)
If the functionality of your system depends on yet another third party, then it isn't free.
DNS registries and registrars are third parties. What makes a CA any different from DNS in this respect?
Re: (Score:2)
Re: (Score:2)
How many "new Firefox features" is a site on a server with such limited resources going to use?
Re: (Score:2)
Re: (Score:3)
Then always use encryption so you don't have to think about whether you "need" it or not.
I've already thought about it. For the websites I run, it isn't needed. It isn't worth my time managing certificates for them.
It's not a huge pain in the ass anymore
So it is still a pain in the ass, just not a huge one. See above.
The problem I see here is my router and cable modem web interfaces don't support https.
I connected to the embedded web server in my HP printer for the first time just last night. It did HTTP just fine. Then it demanded to switch to HTTPS because I was going to enter a password. The first thing Firefox did was bitch about the certificate and make me go through the "add exception" process, after puking up t
Re: (Score:2)
This press release is garbage (Score:2)
Since the article at bleepingcomputer makes no sense, I went to Mozilla's site. It isn't much better. It says:
Effective immediately, all new features that are web-exposed are to be restricted to secure contexts. Web-exposed means that the feature is observable from a web page or server, whether through JavaScript, CSS, HTTP, media formats, etc. A feature can be anything from an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, to bigger features such as WebVR. In contrast, a new CSS color keyword would likely not be restricted to secure contexts.
What is "observable from a web page or server?" I get that they are trying to prevent information leakage, but this statement is overbroad. I call B.S. on it.
Mozilla programmers will not waste their time checking if HTTPS is enabled before supporting a new CSS property, or a new SVG feature. That would be a moronic waste of developer time. Heck, I bet they couldn't even implement that if they
Re: (Score:3)
Mozilla developers like Anne know more about browser development than you do.
In Gecko, restricting new DOM APIs to secure contexts is simply a matter of adding an attribute to the WebIDL:
https://github.com/mozilla/gec... [github.com]
Probably something similar will be added to the CSS property list.
There is also a single method you can call on the internal interface of a 'window' object to determine if you're in a secure context.
https://dxr.mozilla.org/mozill... [mozilla.org]
Selective disabling of new features is already standard prac
So I have to put severs IPMI on the internet so th (Score:2)
So I have to put severs IPMI on the internet so maybe use Let's Encrypt (with maybe auto renew) or just keep them offline and manually update certs all the time on each on
Re: (Score:2)
If you don't want to expose your server to the Internet, you can use Let's Encrypt with an ACME client that supports the DNS challenge instead of the HTTP challenge.
Re: (Score:2, Insightful)
STOP POSTING WITH YOUR IPHONE
Re: (Score:2)
You responding to the wrong AC. Easy mistake to make.
Re: (Score:2)
These Unicode characters are just fine on Slashdot:
It's anything above U+007F that get molested by Slashdot, such as:
I'm not posting from an iPhone. You can input these characters from any modern PC. It's just Slashdot decided to support only ASCII char
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
As opposed to what, exactly? ...Any of the fringe browsers, which are likely to be garbage and full of malware, too?
Does Opera count as fringe? I'm in Chrome right now (at work), but Opera's my main browser at home. It'll run indefinitely on my Win10 box without leaking or crashing while browsing CNN, Facebook, Youtube, Xvideos, Slashdot, Pandora, Netflix, Plex, etc. I'd be very surprised to learn there was malware incorporated.
Re: (Score:2)
Firefox 13.29%
Internet Explorer 13.00%
Edge 3.78%
Safari 3.42%
Sogou Explorer 1.68%
Opera 1.57%
QQ 1.35%
UC Browser 0.73%
Yandex 0.63%
Looks pretty fringy to me.
Re: (Score:2)
Yeah, anything beyond the top 5 I'm happy to call "fringe". So, according to you, that makes it "likely to be garbage and full of malware". I believe Opera's neither garbage nor full of malware.
Re: (Score:2)
Safari 3.42%
I thought all browsing on iPod touch, iPhone, and iPad was done through Safari (or through a third-party web browser that wraps Safari's engine). Are these only desktop numbers?
Re: (Score:2)
On my non-technical site (content doesn't have a bias toward users having any particular software) Safari measures (for whatever that's worth; see 1st paragraph) at 34%.
Safari is currently Mac-only among desktop platforms. I'd be surprised if over 34 percent of visitors to your site use a Mac. Or are you counting Safari for iOS in your 34 percent? Rick Schumann doesn't appear to be.
Re: (Score:3)
Yes. It was originally Norwegian, but was sold to "Golden Brick Capital Private Equity Fund I Limited Partnership" for $600M at the end of 2016.
Re: (Score:2)
People will switch when they begin to have problems, tech literate excluded. People don't want nor will they know about features like this, they want just to use their browser without difficulty and without consideration of restrictive features.
Re: (Score:2)
I think you better realize that EVERYTHING you do is getting raked over by the Chinese Government's servers
That's a possibility. It's been investigated repeatedly and nothing's been found, but that's not 100% confidence and I trust the Chinese even less than MS and Google. Of the sites I mentioned, only Pandora has any financial information from me and it wasn't transmitted through Opera. Opera's my main browser at home, but not my only one. If the Chinese want to know which news articles I read, it bothers me the same amount as if my ISP does. Chrome's probably mined deeper than Opera simply because I'll bet Go
Re: (Score:2)
Re: (Score:3)
We need to know so we can all switch to it.
Lynx's security is second to none.
Re: (Score:2)
We need to know so we can all switch to it.
Lynx's security is second to none.
Don't forget w3m [sourceforge.net] and links [twibright.com].
What process sandbox? (Score:2)
Can't be Chrome since it is less secure than Firefox, even pre-Quantum.
Since when did Firefox start using OS-level process sandboxing the way Chromium and Google Chrome do [chromium.org]?
Re: (Score:2)
Since last year.
Re: (Score:2)
I really do think that weaning the web off non-SSL HTTP is a good thing, I dont know how anyone can oppose protecting peoples privacy. Theres no cost any more to getting an TLS cert so theres just no excuse any more to not go HTTPS. The only issues was Lan IP addresses and maybe an exception should be made for private IP addresses. For all public IP addresses I would actually support throwing up an "insecure site" warning for all non-SSL sites that users have to click an exception button, then eventually re
Router, printer, NAS, and other FQDNless devices (Score:2)
Theres no cost any more to getting an TLS cert
Yes there is. You need a domain, for instance, and it has to be a fully qualified domain name (FQDN), not something like .local from mDNS or .internal from a private DNS server. For example, what would the FQDN of the configuration page of the router, printer, or NAS on your LAN be? Mozilla acknowledged the difficulty of securing such nameless devices on the LAN in "Deprecating Non-Secure HTTP Frequently Asked Questions" [mozilla.org]:
Re: (Score:2)
He did mention explicitly private addresses.
It is a valid point that https on embedded devices and for unmanaged local networks is pretty awkward, with no one really stepping up to make that use case a bit more friendly (even if it can't be made secure).
It's of course very weird that browsers treat unvalidated https as *worse* than http, in terms of scaring the user.
False sense of security from self-signed cert (Score:2)
It's of course very weird that browsers treat unvalidated https as *worse* than http, in terms of scaring the user.
Cleartext HTTP gives the user a true sense of insecurity, as the scheme portion of the URL doesn't say https. Self-signed HTTPS gives the user a false sense of security, as it increases the chance for MITM to intercept the connection, unless the user has already verified the certificate fingerprint out of band. (It shares this false sense of security with SSH servers that don't publish server key fingerprints elsewhere.) I guess Mozilla considers the sense important to users' privacy and safety.
comcarp payed them so $10 device /outlet ipv6 (Score:2)
comcarp payed them so it will cost you $10 device /outlet on ipv6 and it will get an FQDN over the Comcast gateway (must rent at $12/mo) with IPV6 DHCP
Re:Router, printer, NAS, and other FQDNless device (Score:5, Informative)
Let's Encrypt has short-lived certificates, which are kinda useless and annoying when you have a device that is *not* a general-purpose computer capable of running their scripts.
Am I really going to do a manual process on every cable modem, WAP, router, printer, switch, AP, IoT device, etc, every 3 months?
The "local network devices" problem is a real problem, and its never given proper attention in these HTTPS proclamations.
I "solved" it for myself by setting up a local CA to make certs for my stuff. Unfortunately, getting the cert for that CA into all my browsers is annoying, and can introduce its own share of issues.
Re: (Score:2)
Let's Encrypt has short-lived certificates, which are kinda useless and annoying when you have a device that is *not* a general-purpose computer capable of running their scripts.
What is the web server itself running on if not "a general-purpose computer"? If a special-purpose computer locked down to run only particular web server software, this particular web server software can include an ACME client. Certbot is not the only ACME client that can retrieve a certificate from Let's Encrypt or another ACME CA.
Am I really going to do a manual process on every cable modem, WAP, router, printer, switch, AP, IoT device, etc, every 3 months?
No. The manufacturer of "every cable modem, WAP, router, printer, switch, AP, IoT device, etc" will include an ACME client (or some other means of renewing a certificate) in the
Re: (Score:2)
The manufacturer of "every cable modem, WAP, router, printer, switch, AP, IoT device, etc" will include an ACME client (or some other means of renewing a certificate) in the software package that runs the web server in said device.
Does letsencrypt.org issue certificates for private IP addresses now? Most such devices limit their configuration interface to the internal facing interfaces.
Re: (Score:2)
Let's Encrypt will issue a certificate to the domain owner even if the hostname in the certificate is not the hostname of a server reachable through the Internet. For unreachable hosts, Let's Encrypt verifies domain control through the ACME dns-01 challenge, which requires putting a temporary TXT record in your domain's DNS zone.
Re: (Score:2)
My ISP supplied me with a Fritzbox for a router. They have Let's Encrypt support in their current beta firmware.
Although they still give people shitty netgear routers if they don't have gigabit plans...
Re: (Score:2)
Theres no cost any more to getting an TLS cert
Yes there is. You need a domain, for instance, and it has to be a fully qualified domain name (FQDN), not something like .local from mDNS or .internal from a private DNS server. For example, what would the FQDN of the configuration page of the router, printer, or NAS on your LAN be?
You do not need your own top level domain (example.com). You can get a FQDN for free under other existing domains.
That said, you have a point, since that would significantly lower the level of trust (if you own the domain, the registrar could steal it out from under you, so you have to have some trust in them; if you get a subdomain off a third party, they can easily steal your subdomain, so you would have to trust them not to do so).
That risk is probably why the market for free FQDN's isn't very big. Most
Re: (Score:2)
You can get a FQDN for free under other existing domains.
But then you're more likely to run into CA-imposed rate limits [letsencrypt.org] because many subdomain providers aren't on the Public Suffix List yet.
Re: (Score:2)
Hosts on a personal domain need not accept connections from the public. If the domain needs a public presence, it can be hosted on some cheap static site host.
Re: (Score:3)
Not all content requires people's information to be transmitted over the wire.
Re: (Score:2)
The path and query string themselves are enough to infer "people's information". With cleartext HTTP, a passive attacker can infer which medical condition you looked up on Wikipedia or WebMD. With HTTPS, an attacker can see the server's hostname in the Server Name Indication of the ClientHello message, such as en.wikipedia.org or www.webmd.com, but everything else is encrypted.
In addition, even when "people's information" is not "transmitted over the wire", the viewer's ISP can still inject advertisement sc
Re: (Score:2)
The path and query string themselves are enough to infer "people's information". With cleartext HTTP, a passive attacker can infer which medical condition you looked up on Wikipedia or WebMD. With HTTPS, an attacker can see the server's hostname in the Server Name Indication of the ClientHello message, such as en.wikipedia.org or www.webmd.com, but everything else is encrypted.
What you say is the same thing I said. Not every site is about having personal information transmitted or is personal in nature on the queries it responds to. Maybe I just run a site for my bathroom design business with my phone number on it. People visiting my site tell a 3rd party the same thing by simply typing the URL that they would from their full "page loads" since the only information to infer is that you're looking for a bathroom designer.
Re: (Score:2)
Not every site is about having personal information transmitted or is personal in nature on the queries it responds to.
Nor does every server operator always agree with its viewership on whether the site "is personal in nature on the queries it responds to." For example, some people find Wikipedia not "personal in nature" because they don't regularly read articles about (say) reproductive rights in a socially conservative jurisdiction.
Maybe I just run a site for my bathroom design business with my phone number on it.
How do viewers of your site know that your competitor didn't pay the ISP to change your phone number appearing on its subscribers' view of your site to that of your competitor?
Private IP addresses on which network? (Score:2)
The only issues was Lan IP addresses and maybe an exception should be made for private IP addresses.
You propose to exempt RFC 1918 private internets from requirements related to "Secure Contexts". If Firefox were to go this route, what logic would it contain to distinguish your home network from a probably less secure coffee shop network?
Re: (Score:2)
Or to treat private network ips or reserved dns different when it comes to the scary insecure dialogs that the user sees, even if it is still using https but cannot possibly validate a certificate. The key would be the text in the url, not the address so that enterprises can still manage meaningful certificates for RFC 1918 ip addresses.
As it stands, using https without a viable certificate means the user gets scared far more than just doing http. Treating private names/ip addresses running https more lik
Re: (Score:2)
An "enterprise" can afford either A. use of a fully qualified domain name or B. device management to insert the enterprise's own internal root CA as trusted on enterprise-owned devices. I'm more concerned about home users.
Re: (Score:2)
Yes there is. Aside from the hassle of configuring it, maintaining it, and troubleshooting it when it breaks, even "free" things like Let's Encrypt are not free. They will not give me a cert.
I wish I had mod points, another nail in the 'fully free' or user based internet. If the page is static and no javascript crap then you should not have to get a cert.
Yes I know your ISP could inject crap before serving it to someone, but you remind the ISP that is illegal.
There is always lynx and USENET :) We should all move back to that.
Re: (Score:2)
Yes I know your ISP could inject crap before serving it to someone, but you remind the ISP that is illegal.
ISP's reply: "So what? We'll continue the illegal practice."
So who has standing to sue an ISP that deliberately flouts this law? The subscriber or the operator of the site that was modified?
Answer: Nobody does. It was a trick question. Mandatory arbitration clauses are a standard practice nowadays.
You could write your own ACME client (Score:2)
even "free" things like Let's Encrypt are not free. They will not give me a cert. What they will do is let me run their software which will magically do the cert shit for me.
Or you could read the published specification for Automatic Certificate Management Environment (ACME) [github.com] and write your own such software.
Re: (Score:2, Interesting)
So what do you use? Chrome, which is turning into the IE6 of the web now pushing all this proprietary Chrome-only markup, and arrogantly spawns a dozen or more background task on your computer bringing it to its knees?
I'm seeing lots of Chrome die-hards give it the boot and go to Firefox as a result. And the new Firefox 57 is faster than Chrome, so there's an added bonus.
Firefox has its faults, but if you're insulting it and using Chrome instead then you're just being a huge hypocrite. Chrome gets more pres
Re: (Score:2)
Those dozens of background tasks are your tabs or plugins you've installed.
Of the 6 processes my instance of Chrome is currently running (with one tab open) they are:
Browser: 115MB
GPU Process: 61MB
V8: 11MB
Slashdot tab: 111MB
Adblock Plus: 162MB
uBlock: 63MB
Each additional tab is one more process. If you install dozens of plugins, you'll get dozens of processes and gigabytes of RAM usage.
Tip: Press shift-esc to open Chrome's task manager and see for yourself.
Re: (Score:3)
Then we can talk.
Rolling out DNSSEC without first addressing DNS amplification is dangerous and irresponsible.
Re: (Score:2)
You have a really good point there. While generally I think its good for internet sites to be compelled to support SSL, there should be a way for the user to create exeption rules in the browser for these situations (as with an self signed cert). With adequate warnings similar to the self signed or expired cert screens. A setting should be included in the advanced section for setting up rules as well to permit non-SSL sites