Mozilla said yesterday: https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/ Forcing SSL sounds like a good idea on the surface, but there are a number of cogent objections raised in the comments. This blog post is a good read: http://cryto.net/~joepie91/blog/2015/05/01/on-mozillas-forced-ssl/ Many security products have problems with SSL, as evidenced by the numerous threads here. What will this mean for Firefox/Thunderbird users?
It means we're gonna switch to other products. I already offered to roll out Chrome to anyone in the office that wants it today.
But Chrome is a mess lately. I'm removing malicious extensions from Chrome once or twice a week, including Sinowal banking trojans and the like. Google does such a poor job vetting extensions compared to Mozilla. I've been doing the opposite, moving people from Chrome to Firefox. Time will tell, I guess
For advanced users (and companies) Google has provided Chrome Policies (https://support.google.com/chrome/a/answer/187202?hl=en) which can be used to control (blacklist/whitelist) extensions. Very effective against that kind of attack.
Thanks for the link. This looks great for advanced users and companies but completely beyond the reach of average users. This is Chrome foisting responsibility for this area of browser security onto the end user, IMO. I knew about the NPAPI deprecation thereby removing Java and Silverlight among other things, and I can find mention of phasing out SHA-1 for security certificates: http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html but nothing about completely eliminating http. Am I missing something? I really hope Mozilla re-thinks this. Maybe they (or more likely, some trustworthy extension developer) will offer a toggle.
https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/ was updated on May 1 to include a link to a FAQ document.
Thank you! That's it. Guess my Google-fu was weak today. I found this FAQ there: That seems a saner choice. Ideally, Google would decide to implement code vetting for extensions similar to the Mozilla process and Mozilla would adopt something like Google's indicator for insecure sites.
Thanks for this, too. The FAQ is really vague and glosses over some huge problems. I hate phrases such as "for a long time", "very small", "for the most part, it works", etc.
In addition to this I think I read something about implementing new features only on HTTPS, but not like Mozilla also removing current features from HTTP. Unfortunately, I can't find the source.
Here is one article about it: http://www.zdnet.com/article/mozilla-wants-to-deprecate-http-sites-to-force-move-to-secure-web/
I do think there are merits to the idea but wonder: a) how much of a difference this will make to encourage owners of current plain HTTP sites to change to HTTPS b) how much difference it will make to the majority of web visitors - as of now, most people don't even know the difference. c) will the warning sign increase awareness? Will it cause warning sign fatigue?
This was posted on reddit.com/r/firefox blink-dev › Intent to deprecate: Insecure usage of powerful features
Yes. I saw that here: https://blog.mozilla.org/security/files/2015/05/HTTPS-FAQ.pdf I am wondering if that is enough as an incentive. I guess we would just have to see...hopefully it does.