back to article Mozilla to whack HTTP sites with feature-ban stick

Insecure websites will be barred from using new hardware features and could have existing tools revoked, if Mozilla goes ahead with a push towards HTTPS. Webmasters that don't turn on HTTPS could be excluded from the new features list under a Mozilla initiative designed to rid the net of careless clear text gaffes, sending a " …

why, why, why... what is the point?

I understand that certain content needs to be secure but why all content? Why do my seaches on ebay for parts for my car need to be secure? When I look on auto trader and area about owning an Aston martin, why does that need to be secure? BBC News? Tide times? Weather forecasts?

Why the hell does any of that need to be secure?

In the last week I have looked at all the following, please someone explain why they need to be secure...

Haynes motor museum

The Register

BBC News

BBC iPlayer

Gig guide

Weather

Ebay motors search

Auto trader

Tesco

Ebuyer (did not purchase)

Amazon prime video

Opening hours for a couple of local shops

Why?

33
8
Anonymous Coward

Re: why, why, why... what is the point?

Yes, its like putting four sets of gates on your driveway in case someone breaks through the first three.

It might be useful on rare occasions but it what a nuisance when you want to take your car out.

8
7

Re: why, why, why... what is the point?

"Why the hell does any of that need to be secure?"

The answer is: it doesn't. But Firefox is losing market share fast, and Mozilla is desperate to find something to distinguish Firefox by some means (and with that I mean by _any_ means) from the competition and tries to lake a lead in something (and with that I mean in _anything_) that seems or can be spinned to look somehow positive. This is obviously their ill-fated attempt at that.

16
15

Re: why, why, why... what is the point?

Have you ever used an open WiFi access point? On an insecure, shared, WiFi network, it is trivial to modify plain HTTP traffic to serve up porn, ads, or exploits which install malware on computers.

Do you absolutely trust your ISP? Do you absolutely trust every employee at your ISP? Your ISP can see *everything* you do in plain HTTP. And, like the above WiFi situation, your ISP (and any technical employee thereof) is in the perfect man-in-the-middle position to modify all of your insecure traffic - with or without official blessing of the company.

Or perhaps you are aware of the recent "Chinese Cannon" attack against GitHub? Did you know that the attack was only possible because people weren't requesting websites securely? Something at the same location as the Great Firewall was modifying plain HTTP traffic passing into/out of China, and adding some javascript to pages; causing unknowing users' browsers to automatically assault GitHub.

So then tell me: Why should we *not* secure websites?

39
10
Anonymous Coward

Re: why, why, why... what is the point?

Because in the year 2022, UKIP have had a landslide victory in the UK elections and have taken control of the government. However some of the more right wing elements have wrestled control from the moderate Nigel Farage and start ejecting all immigrants who have been in the country for less than 5 years. Due to the serious effects to the IT, healthcare and other industries there is a growing resistance with ordinary people who have not been reading Katie Hopkins' Sun column and are therefore not yet brainwashed.

The new MI9 force starts tracking down these immigrant sympathisers who have fallen foul to the new non-patriot act and using their, once innocent, browsing history start rounding up those who have been looking at sites which are pro-immigration, such as the BBC, Tesco, Haynes Motor Museum and certain titles on Netflix.

Luckily all this information had been stored and retained by GCHQ since 2015 and thanks to the fact thet The Register didn't used HTTPS for their login, e-mail addresses were easily gathered along with non-patriotic posts even by anonymous users.

32
8
Silver badge

Re: why, why, why... what is the point?

You'd better read (a) the news and (b) some history books.

If you think your news browsing, video watching, Register-posting habits -- or even your musical tastes -- do not let The Powers That Be characterise you pretty fully, you need to think again. The Powers That Be, here in "The West", of course, are reasonably benign (to what degree is a matter of discussion) at the moment; but there is absolutely no reason to assume they will stay that way, wherever you place them on the malignity spectrum at the moment.

11
4
Silver badge

Re: why, why, why... what is the point?

"Why the hell does any of that need to be secure?"

It's WAY TOO EASY for someone in the chain to perform a Man-In-The-Middle attack on you, and before you say the information you serve isn't important, that wouldn't matter if it's the CONNECTION they want to hijack (which they would for something like a malware injection).

Then think about ISPs like Verizon that (whether you want them to or not) inject unique session cookies into all your web traffic that ad agencies can use to identify you. You'd have to think the practice will eventually become universal, leaving the only alternative to bail out of the 'Net altogether.

Put it this way. Do you leave your doors unlocked? That's what the HTTPS Everywhere approach represents.

10
4
Anonymous Coward

Re: why, why, why... what is the point?

Put it this way. Do you leave your doors unlocked?

Yes!

But then I don't live in an inner city and also don't live in a perpetual state of paranoia thinking it is normal!

18
4
Anonymous Coward

Re: why, why, why... what is the point?

"But then I don't live in an inner city and also don't live in a perpetual state of paranoia thinking it is normal!"

Great, wouldn't want you to be paranoid. Hell if it doesn't matter, could you just let us know where you live and what time your house is normally empty?

You don't need to be paranoid, no one reading this is likely to live close to you and be of the thieving sort, so no harm eh?

5
5

Re: why, why, why... what is the point?

Too bad you could only give reasons why a website that you're handing over sensitive data should possibly use HTTPS. Too bad you didn't give any compelling reason why ALL websites should be forced to use HTTPS.

6
6
Silver badge

Re: why, why, why... what is the point?

Actually, I'm not ashamed of my views and I see no reason to hide them from the powers that be. Actually, I'd be rather chuffed if they deigned to read them. Who knows, I may convince someone not to do the wrong thing.

Of course, they could read them anyway, by clicking on the "comments" section of the articles. They'd just have to check the server logs and pair them up to my static IP or DHCP lease log to find out where I lived. HTTPS doesn't negate oppressive government. They might try some blackmail, but you don't need real data for that, just a scurrilous accusation in a tabloid.

I'd rather have caching than privacy for most of my browsing. Now if I wanted to push people to CDNs and the cloud, I might want caching to go the way of the dodo.

If you want to stop oppressive government you have to get the building of the massive snooping infrastructures reversed; you have to stop the circumvention of the spirit of due process and you have to get loose and dangerously phrased laws repealed. HTTPS is small fry, it complicates troubleshooting and is often simply not required.

11
6
Silver badge

Re: why, why, why... what is the point?

"But then I don't live in an inner city and also don't live in a perpetual state of paranoia thinking it is normal!"

Great, wouldn't want you to be paranoid. Hell if it doesn't matter, could you just let us know where you live and what time your house is normally empty?

I have a friend who used to leave his garage unlocked and the keys to his bikes in the ignition, with the comment: "if you are in the area and want to go for a ride, just take a bike, just remember, you bend it, you mend it."

He never used to lock his patio door either.

He never had any problems.

On occasions I've forgotten to lock my car doors - one time, when I was still in the UK, I got home at 11 in the evening from work and my neighbour knocked on the door at 10 the next morning to let me know the windows were still open... My coat, briefcase, CD player and CDs were all still in the car - that was in Southampton - although speaking to my old neighbours a couple of years back, they daren't leave the cars on the street at night any more, let alone leave them unlocked!

In Birmingham, I left the car in a carpark under the Holiday Inn on Monday morning. As I picked it up on Friday evening, it was unlocked - but nothing was missing.

I tend to lock the car, but there are times I forget. The only time somebody broke in was when I was a kid and despite the door being unlocked, they used my father's golf clubs to smash the window, then made off on my kiddy bike!

The same for a friend, he had a Spitfire and was always worried somebody could cut open the roof, so he left the doors unlocked, so that if somebody wanted to steal the radio, they didn't have to cut open the roof... They cut open the roof anyway [LIFTED] idiots!

5
0
Silver badge

Re: why, why, why... what is the point?

"Too bad you could only give reasons why a website that you're handing over sensitive data should possibly use HTTPS. Too bad you didn't give any compelling reason why ALL websites should be forced to use HTTPS."

I thought we pointed out that ANY unencrypted communications can be MITM'd and altered to whatever ends (like Verizon's customer tags or the Chinese Cannon). At least with an encrypted channel like SSL/TLS (which HTTPS uses) it's a lot harder to achieve this.

8
3

Re: why, why, why... what is the point?

playing russian roulette, most of the time you are safe, but just once ...

2
1
Silver badge

Re: why, why, why... what is the point?

Simply: because your ebay searches being encrypted makes your bank transactions more secure.

Also not for nothing but what you read on BBC news, what (and that/where) you buy at Tesco and what cars you're looking at can build a geographical, psychological and (frankly) political profile of you - and also be used by criminals to figure out when you've buggered off out to do your shopping, or target whatever car you're buying for theft.

And last but not least there's not good reason not to encrypt all your data. You say why - I say why the hell not, it's a zero-cost solution to a pervasive problem. It doesn't have to be governments, but they can be part of the problem. Just accept crypto into your heart and get back on with your life.

5
4
Silver badge
Happy

Re: why, why, why... what is the point?

It is not zero cost as any sysadmin, network engineer, or infrastructure provider will tell you right off. The question remains cost-benefit analysis. I won't even try. I know all the factors, it's the weighting of them that is at question. My situation is so bizarre that I'm a complete outlier. Up to y'all but I'll jump in with corrections natch.

10
0
Silver badge

Re: why, why, why... what is the point?

"I have a friend who used to leave his garage unlocked and the keys to his bikes in the ignition, with the comment: "if you are in the area and want to go for a ride, just take a bike, just remember, you bend it, you mend it."

He never used to lock his patio door either.

He never had any problems."

Before the days when you were legally required to keep a record of who has driven your motor vehicle in the last 14 days, I take it?

Try that today and you're legally liable for any and all speeding tickets.

2
2
Silver badge

Re: why, why, why... what is the point?

"The new MI9 force starts tracking down these immigrant sympathisers who have fallen foul to the new non-patriot act and using their, once innocent, browsing history start rounding up those who have been looking at sites which are pro-immigration, such as the BBC, Tesco, Haynes Motor Museum..."

They still know that, unless you encrypt your DNS lookups.

5
0
Anonymous Coward

Re: why, why, why... what is the point?

The reason why this is a bad idea is that it upper the entry barrier to having a web presence. Most certificates aren't free, and the skills required to set it up are not necessarily within reach of the most basic providers or admins.

Not a problem for the web giants or even for most website owners in the developed world. However, it does put up a significant barrier to those whose voices need to be heard the most.

Which is why I cannot support this idea, at least not unless Mozilla dig into their deep pockets to set up a non-profit, free for the user, certificate authority.

7
0
Silver badge

Re: why, why, why... what is the point?

Why should I care about github, or any other website? Let them take care of their own security, why do I have to sponsor them?

Why should I care about some oik at an ISP watching my browsing of an entomology site, and why should the entomology site need to get an SSL certificate?

Let eBay, Facebook, Google, Yahoo, Amazon and the banks secure their own fucking businesses and leave the rest of us alone. Seems to me that all of this is to make the poor pay the cost of web security.

4
1

Re: why, why, why... what is the point?

Which is why I cannot support this idea, at least not unless Mozilla dig into their deep pockets to set up a non-profit, free for the user, certificate authority.

I'm afraid then, Mr/Ms Coward, you'll have to wait until last November before you can strike that off your list of demands reasons why you cannot support this idea.

1
5
Bronze badge

Re: why, why, why... what is the point?

Also,

https://letsencrypt.org/

Can't arrive too soon.

2
1
Silver badge

Re: why, why, why... what is the point?

"Before the days when you were legally required to keep a record of who has driven your motor vehicle in the last 14 days, I take it?"

Eh? What? Since when?

Are we talking UK here? Is this one of the 10's of 1000's of new laws and statutory instruments enacted over the last 18 or so years? (I suspect that alone might be an argument in court to defeat the "ignorance of the law is no excuse" thing.)

1
0
Silver badge

Re: why, why, why... what is the point?

@John Brown

Since they changed the rules for speeding tickets. If a fixed camera issues you with a speeding ticket then they have to get the ticket to you within 14 days but assuming they do then you're expected by law to know who was driving at the time of the offence.

It's intended to close the loophole that got a lot of people off on speeding tickets because the police couldn't identify who was driving from the camera photo. If you can't prove who did the crime you can't prosecute.

Now, if you get a speeding ticket, you will notice new references that say that if you can't identify the driver then the owner is liable.

See point 1

0
0
Anonymous Coward

Re: why, why, why... what is the point? @Raumkraut

"Have you ever used an open WiFi access point? On an insecure, shared, WiFi network, ...

Do you absolutely trust your ISP? Do you absolutely trust every employee at your ISP? Your ISP can see *everything* you do in plain HTTP."

Do you use a telephone? if so what do yo use to effect end-to-end session security?

6
0
Silver badge

Re: why, why, why... what is the point?

@Russell Hancock - "In the last week I have looked at all the following, please someone explain why they need to be secure.."

Most of those sites you listed will be going to http/2 anyway, which is encrypted by default and has no unencrypted mode. They'll be going to it because it will give them better performance, use less bandwidth, and work better with mobile. Tests so far have shown http/2 with encryption to be faster than regular http without encryption. Chrome and Firefox already support it, and the other browser vendors will be following suit if they haven't already.

Mozilla's proposal is for what to do about sites that don't change to http/2 because they don't want to change anything. Their proposal is that those sites will continue to work as is for the foreseeable future, they just won't be able to access new browser features. Since those site operators who claim they don't want to change anything won't be accessing new features anyway, then they've really nothing to complain about, do they?

The only people who will be affected are those who want to use the latest bleeding edge web technologies, but don't want to do it over http/2 or encrypted http.

1
2
Anonymous Coward

Re: why, why, why... what is the point?

And last but not least there's not good reason not to encrypt all your data.

So for my "website under construction" holding page, I need to implement encryption? Likewise for the pages that get displayed when a website is busy (doesn't happen so often these days with flexible cloud provisioning) or offline for maintenance/update?

There is much that needs to be thought through on this proposal...

4
1

This post has been deleted by its author

Black Helicopters

Re: why, why, why... what is the point?

Why is simple, it allows the cert issuers to snoop on metadata. While there are ways to do certificate revocation that don't ask the CA everytime you talk to your bank, they aren't well supported. That meta data links your computer to the remote site and typically provides enough data to figure out what pages you went to with absolute certainty just by using the the netflow data (which your ISP is already collecting) combined with the CA's data. Oddly enough you can't do that with http without looking inside the packets. There is no plausible deniability with https as there are records it came from your computer, not your network.

Remember that all major CAs were founded by spooks. Some of them are much better at their jobs than most of the "security experts" on the net.

0
2
Silver badge

Re: why, why, why... what is the point?

@Mycho

Before the days when you were legally required to keep a record of who has driven your motor vehicle in the last 14 days, I take it?

Try that today and you're legally liable for any and all speeding tickets.

No such requirement here, and if you cannot be clearly identified on the photo (assuming it wasn't an actual pullover), then you can generally not be prosecuted. Companies have to have a log book for all company vehicles that aren't driven by one person.

0
0
Silver badge

Re: why, why, why... what is the point?

"Why should we *not* secure websites?"

Because:

1. It is a burden for people running smaller websites that don't have logins etc this don't actually need to be "secure". Whether or not this can be hijacked by nefarious people shouldn't be the web site's problem.

2. Numerous public APs force false certificates at you if you go to https sites - KFC I'm looking at you - which either intentionally breaks or intentionally compromises the basic security expectations.

3. Remind me - where is the mechanism to prove that site X is really site X? We are mostly stuck with taking somebody else's word for it...

2
0
Silver badge

Re: why, why, why... what is the point?

>> Try that today and you're legally liable for any and all speeding tickets.

> No such requirement here, and if you cannot be clearly identified on the photo (assuming it wasn't an actual pullover), then you can generally not be prosecuted.

Don't know where you are, but in England (probably England and Wales, dunno about Scotland and NI) the registered keeper can certainly be prosecuted as a result of speeding by someone else. The first thing that happens is a form is sent to the registered keeper asking who the driver was at the time. If you cannot or will not identify the driver then you as the registered keeper **WILL** be prosecuted - not for the speeding offence, but for failing to identify the driver. The penalty is the same, so as pointed out, it's to remove the loophole where failing to identify the driver gets someone off a speeding charge.

I know people who have been on the receiving end of this.

1
0
Vic
Silver badge

Re: why, why, why... what is the point?

Most certificates aren't free, and the skills required to set it up are not necessarily within reach of the most basic providers or admins.

Seriously?

If an admin can't set up an SSL certificate, he shouldn't be an admin. It's incredibly simple...

Vic.

1
1

Re: why, why, why... what is the point?

"Because in the year 2022, UKIP have had a landslide victory in the UK elections and have taken control of the government"

Oh for goodness sake. I am still amazed by the number of supposedly intelligent people that have fallen for the Lab/Green/SNP/PlaidC bulldust about UKIP. They don't like UKIP because they want to stay on track to their Marxist "utopia" The People Republic of EUland. But they won't admit that in public.

UKIP are against "open door, uncontrolled, undocumented Immigration" ... which is freely translated from the plain English into "UKIP hate all non-whites and will gun down all immigrants". If you can't see the disconnect there then Gawd help you. Go ahead and vote away your future rights to vote on anything substantive after the REAL threat comes to final fruition in Brussels.

0
1
Silver badge

Re: why, why, why... what is the point?

"Since they changed the rules for speeding tickets. If a fixed camera issues you with a speeding ticket then they have to get the ticket to you within 14 days but assuming they do then you're expected by law to know who was driving at the time of the offence."

Thanks, I didn't know about that. It all sounds like something Blair introduced as a statutory instrument at the behest of ACPO.

0
0

Re: why, why, why... what is the point?

Why should we *not* secure websites?

Because it's a terrible waste of resources. It burns CPU cycles, bloats network messages, and interferes with some forms of caching and compression (e.g. by transparent gateways). Because it's a stupid attempt at security-by-fiat which imposes the same threat model on every use. It's cargo-cult programming.

1
1

Re: why, why, why... what is the point?

If you only secure data you want to keep secret, then you are telling the bad guys exactly which data they should concentrate on. If you secure all data, then the bad guys will waste resources trying to decrypt your cat videos or e-mail to your grandmother. Most people won't stop using their debit cards, cell phones, etc to protect their privacy because it is too inconvenient . Using HTTPS when possible is one of the easiest ways to protect your privacy with very little hassle.

1
0

Action. Counteraction.

Firefox relegates web sites that do not use HTTPS. Users relegate Firefox to the also-ran category.

Also, please don't try to draw an equal sign between "insecure websites" and "HTTP only". As site isn't necessarily insecure by any means, if it uses HTTP only, and surely isn't secure just because it uses HTTPS. Security is far a more complex issue than it could be reduced to HTTP vs HTTPS.

17
4

Re: Action. Counteraction.

Before even thinking about this, Mozilla ought to fix Firefox so that it can communicate through a non-standard port with a secure server (ie. not supporting SSLv3), rather than giving up with "Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)"! As it is, I have to resort to using IE to configure WHM/cPanel.

3
0
Silver badge

Re: Action. Counteraction.

This is just copy-catting, Google are trying to push sites to do this with Chrome as well... And Google are flagging up valid Certs using SHA1 as insecure - unless they come from Google...

5
0
Silver badge

Re: Action. Counteraction.

unless they come from Google

Faulty assertion made on the assumption that Google isn't going to change their certs. Protip: they are.

1
2
Silver badge

Re: Action. Counteraction.

@FF22 - Firefox relegates web sites that do not use HTTPS. Users relegate Firefox to the also-ran category.

Planning on browsing the web with telnet then? Google has already announced their own plans to achieve the same result. The other vendors will do the same if they haven't announced plans already. If anything, Mozilla are taking a much softer line on this than Google are. They're not working alone on this, as companies such as Cisco and Akamai are in it with them. The IETF, IAB, and W3C want some sort of solution, and even the US government is pushing vendors to come with something.

Mozilla will be making a proposal to the W3C. The browser vendors and various other interests will kick the idea around and come up with a common plan and schedule so that site owners will know what they need to do. Under Mozilla's proposal, existing sites will continue to work as is. It's when they want to access new features (e.g. getting access to your web cam) that they will need to do so through encrypted means (Firefox already requires this for some features).

The very first question in Mozilla's FAQ is "Q. Does this mean my unencrypted site will stop working?" Their answer is "Not for a long time" (they're talking to other companies about a joint plan for what to do over the long term).

So oh mighty ruler of the Internet, it appears you're panicking for no reason.

3
2
Silver badge

Re: Action. Counteraction.

@streaky yes, they will change them, but they haven't yet, even though they are flagging non-Google properties already as insecure.

0
0
Silver badge
Thumb Down

Eeejits!

My own website is a very simple affair. No javascript and no flash, just a bit of css and some ordinary links. If that suffers, then it looks like I'll need to change my front page... Advising people not to use Firefox.

12
3
Anonymous Coward

Re: Eeejits!

More to the point, it just isn't worth the expense of a trusted certificate for the sort of sites I run.

Yes, I'd like some security when providing my login details… a self-signed certificate is "good enough", provided people are smart enough to look beyond the warning messages and do a few basic checks.

I've looked into getting a certificate. The free ones are either trials (30~90 days) or have limitations like no subdomains (i.e. you must own the domain). I run my sites on a free subdomain simply because the site is not revenue raising. I'm not prepared to pay AU$30/year just to have a site on the 'net.

10
2
Anonymous Coward

Re: Eeejits!

More to the point, it just isn't worth the expense of a trusted certificate for the sort of sites I run.

Expense? How expensive is free?

7
6
Silver badge

Re: Eeejits!

The article says that sites using opportunistic encryption will also get all the features and a self-signed certificate will not set off alarms if opportunistic encryption is used.

2
1
Anonymous Coward

Re: Eeejits!

More to the point, it just isn't worth the expense of a trusted certificate for the sort of sites I run.

Expense? How expensive is free?

Show me the form where I upload the .crl file to retrieve a signed .crt and I'll believe you. Does this new fangled automatic CA have keys trusted by the common web browsers? Firefox is likely, but how about Chrome, IE, Safari?

All I can see is "Arriving Mid-2015"… maybe you've got keys to a DeLorian, I do not.

6
2
Anonymous Coward

Re: Eeejits!

"do a few basic checks"

What are these few basic checks that can make a self-signed certificate trustworthy and give full confidence to all your visitors?

0
0
Anonymous Coward

Re: Eeejits!

"Does this new fangled automatic CA have keys trusted by the common web browsers? Firefox is likely, but how about Chrome, IE, Safari?"

Apparently it will, that is a good link and will be a valuable resource once it launches, thanks Mr Coat. I currently have an army of self-signed certs signed by my own CA that is trusted across my machines by GPO and I pay for certs for any public facing stuff, so this will be a welcome service and will definitely save me some costs.

Especially good because all my stuff is for geek fun, none of it makes any money.

2
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017