Mozilla to phase out http, require https

Discussion in 'other security issues & news' started by geekatlarge, May 1, 2015.

  1. geekatlarge

    geekatlarge Registered Member

    Joined:
    Jul 23, 2013
    Posts:
    66
    Location:
    Searching for $Windows.~BT folders
    Mozilla said yesterday:
    https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/

    Forcing SSL sounds like a good idea on the surface, but there are a number of cogent objections raised in the comments. This blog post is a good read:

    http://cryto.net/~joepie91/blog/2015/05/01/on-mozillas-forced-ssl/

    Many security products have problems with SSL, as evidenced by the numerous threads here. What will this mean for Firefox/Thunderbird users?
     
  2. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    It means we're gonna switch to other products. I already offered to roll out Chrome to anyone in the office that wants it today.
     
  3. geekatlarge

    geekatlarge Registered Member

    Joined:
    Jul 23, 2013
    Posts:
    66
    Location:
    Searching for $Windows.~BT folders
    But Chrome is a mess lately. I'm removing malicious extensions from Chrome once or twice a week, including Sinowal banking trojans and the like. Google does such a poor job vetting extensions compared to Mozilla. I've been doing the opposite, moving people from Chrome to Firefox.

    Time will tell, I guess
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,062
    For advanced users (and companies) Google has provided Chrome Policies (https://support.google.com/chrome/a/answer/187202?hl=en) which can be used to control (blacklist/whitelist) extensions. Very effective against that kind of attack.
     
  5. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,766
    Location:
    Outer space
    I think Chrome devs recently announced something similar.
     
  6. geekatlarge

    geekatlarge Registered Member

    Joined:
    Jul 23, 2013
    Posts:
    66
    Location:
    Searching for $Windows.~BT folders
    Thanks for the link. This looks great for advanced users and companies but completely beyond the reach of average users. This is Chrome foisting responsibility for this area of browser security onto the end user, IMO.
    I knew about the NPAPI deprecation thereby removing Java and Silverlight among other things, and I can find mention of phasing out SHA-1 for security certificates: http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html but nothing about completely eliminating http. Am I missing something?

    I really hope Mozilla re-thinks this. Maybe they (or more likely, some trustworthy extension developer) will offer a toggle.
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  8. Alhaitham

    Alhaitham Registered Member

    Joined:
    May 18, 2013
    Posts:
    173
    Location:
    Egypt
    May be this

    Found it on a thread about the Mozilla plans elsewhere

    Marking HTTP As Non-Secure
     
  9. geekatlarge

    geekatlarge Registered Member

    Joined:
    Jul 23, 2013
    Posts:
    66
    Location:
    Searching for $Windows.~BT folders
    Thank you! That's it. Guess my Google-fu was weak today. I found this FAQ there:
    That seems a saner choice. Ideally, Google would decide to implement code vetting for extensions similar to the Mozilla process and Mozilla would adopt something like Google's indicator for insecure sites.
     
  10. geekatlarge

    geekatlarge Registered Member

    Joined:
    Jul 23, 2013
    Posts:
    66
    Location:
    Searching for $Windows.~BT folders
  11. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,766
    Location:
    Outer space
    In addition to this I think I read something about implementing new features only on HTTPS, but not like Mozilla also removing current features from HTTP. Unfortunately, I can't find the source.
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,062
  13. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    I do think there are merits to the idea but wonder:

    a) how much of a difference this will make to encourage owners of current plain HTTP sites to change to HTTPS
    b) how much difference it will make to the majority of web visitors - as of now, most people don't even know the difference.
    c) will the warning sign increase awareness? Will it cause warning sign fatigue?
     
  14. Alhaitham

    Alhaitham Registered Member

    Joined:
    May 18, 2013
    Posts:
    173
    Location:
    Egypt
  15. Alhaitham

    Alhaitham Registered Member

    Joined:
    May 18, 2013
    Posts:
    173
    Location:
    Egypt
    Mozilla is working to make it easier for website owners to deploy HTTPS with Let's Encrypt
     
  16. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
Loading...