back to article Mozilla edict: 'Web-accessible' features need 'secure contexts'

Mozilla has decided to further locking down the Internet with the announcement that developers can only access new Firefox features from what it calls “secure contexts”. The decision means that sites wanting to fingerprint or snoop on users with web features will still be able to, but only over HTTPS. Outside snoops will …

  1. Andraž 'ruskie' Levstik

    How about... you give me some buttons that just disable all those fancy features as I want to?

    1. sabroni Silver badge

      That'd be great, but very few users would understand them or use them. Mozilla are trying to secure things for everyday users.

      It's open source, why not have a crack at those buttons yourself?

    2. Dan 55 Silver badge

      Thanks to browser exploits, the only secure way to disable them is to not compile in the feature in the first place.

    3. druck Silver badge

      How about they are disabled by default, and the browser prompts you when a site wants to fsck with your Bluetooth?

      1. sabroni Silver badge

        re: the browser prompts you when a site wants to fsck with your Bluetooth

        That's exactly what happens with location anyway, isn't it? It's certainly the way Chrome are talking about it here: https://medium.com/@jyasskin/the-web-bluetooth-security-model-666b4e7eed2

        The risk isn't so much "you visit a site and don't know it's accessing bluetooth" as "you visit a site you trusted with bluetooth and it's been compromised since you last visited it".

  2. Christian Berger Silver badge

    HTTPS can still transport malware

    and it probably already does. It's not like somehow HTTPS means that the code it transports is more trustworthy.

    If Mozilla would want to improve security, they'd make a more secure alternative to HTML/CSS/JS for web applications. Something that connects the DOM directly to a web socket, with no way to run turing complete code on the client. That would bring some security.

    Things like Geolocation APIs need to be disabled by default and when disabled spoof plausible, but wrong data. Giving an error message is no solution as that effectively enables applications to blackmail people into giving them the capabilities they want.

    1. Len Silver badge

      Re: HTTPS can still transport malware

      There will never be a single solution to every problem. This is not so much a security solution as a privacy solution. It has some security improving side-effects but I don't get the impression improving security is the primary goal here, improving privacy is.

    2. Charles 9 Silver badge

      Re: HTTPS can still transport malware

      Even plausible data can be winnowed down and improved upon. Basically, if it's even remotely useful for practical purposes, it can be exploited to provide an identity profile. Heck, even round-trip times (which can be gleaned even with stuff like Lynx) can be used if you winnow it enough.

      Put it this way. If you don't want people to know your address, go into the woods and do not avail of ANY government services. Similarly, if you don't want the Internet to know about you, just don't use the Internet. Full stop.

    3. Adam 1 Silver badge

      Re: HTTPS can still transport malware

      HTTPS isn't magic but it does cut out whole classes of vulnerabilities that can cause malware to be transported to you.

      Or another way, with HTTPS, the site has to be compromised or otherwise be untrustworthy (or a combination of compromised DNS and compromised CA has tricked the browser). With HTTP, you only need to connect via a rogue free WiFi access point in order to introduce malware not actually sent by the source website. And before anyone comments on some l337 haxor skills required for such pwnage, Google WiFi pineapple and then watch the YouTube instructions whilst awaiting your kit to be delivered.

  3. Anonymous Coward
    Anonymous Coward

    How about Cloudflare getting in the way ?

    I can't be alone in noticing that Cloudflare are messing around with some SSL sites ?

    1. DropBear Silver badge

      Re: How about Cloudflare getting in the way ?

      A few weeks back I learned about an awful lot of sites that they were Cloudflare-powered by virtue of all of them falling off the web, with some sort of SSL error - Cloudflare was throwing their hands up going "you can reach us, we can't reach this guy" but in the end, half the internet went missing for most of the holidays...

      1. Anonymous Coward
        Anonymous Coward

        Re: How about Cloudflare getting in the way ?

        Cloudflare are preventing access to certain "unapproved" sites in the UK by interfering with the SSL handshake.

        I'm sure it's nothing sinister though. Probably for our own good. There's a lot of fake news out there.

        You can choose not to use Cloudflare, if you know what you are doing. My worry would be that people doing that are putting their heads above the parapet.

  4. Len Silver badge
    Thumb Up

    Makes sense

    The data someone exchanges, particularly if it might help to track, identify or profile a person, is a 'contract' between the user and the site owner.

    If a site owner shows a popup or Ts&Cs stating that XYZ is happening on their site for purposes A, B and C and the visitor agrees to that they should exchange whatever they wish. Forcing stuff over TLS means that the agreement and the data stays between visitor and site owner and that snooping ISPs, intelligence agencies, marketing agencies, other people on your public WiFi network etc. can not get their hands on that info too.

    1. DropBear Silver badge

      Re: Makes sense

      "If a site owner shows a popup or Ts&Cs stating that XYZ is happening on their site for purposes A, B and C and the visitor agrees to that"

      There is no "if". The visitor shall agree by virtue of needing to use the site, as evidenced by showing up and trying to use it in the first place. There is nothing "optional" involved in it anywhere. The number of activities you have the luxury to perform on any number of alternate sites if you have a problem with the original one's T&C is exceedingly small.

      1. Charles 9 Silver badge

        Re: Makes sense

        And sometimes that number is zero if the original site is the ONLY source (and don't give me that spiel about there's always more than one source; otherwise exclusivity terms wouldn't exist).

      2. Len Silver badge

        Re: Makes sense

        The fact remains that there is some kind of agreement between the visitor and the site. If I decide it's OK for The Register to know my location, my email address and which articles I read on the site then that is an agreement between me and The Register. Clearly I am OK with that otherwise I wouldn't be here.

        What I am not OK with is for my ISP to know which articles I read or which email address I use to login. The strict use of TLS can make sure that the agreement between me and El Reg is not 'extended' to parties in between that may be eavesdropping.

        1. Charles 9 Silver badge

          Re: Makes sense

          Which would probably be countered with a demand that ISPs become like secure corporate proxies, meaning they can act as Men In The Middle.

    2. Anonymous Coward
      Anonymous Coward

      Re: Makes sense

      SSL isn't enough if you're on a network you don't own/control. Take for example my local library, I went to this library to print some documents off and found that the SSL certificate for https://drive.google.com was flagging as insecure.

      Checked the certificate details in Developer console and found that a .local certificate was in the way, my guess, a HTTP filter/proxy was involved here. Why it had picked on a file sharing site I don't know. Perhaps copyright/IP protection (it was a library that allowed access to computers running on a Windows Domain with scanner access or perhaps its because it's a joint venture with the city university).

      When I asked one of the help guys they called the tech team on their radio/pager, handed it to me so I could ask my question. The techie on the other end was not forth coming and simply said "Yeah, accept it" didn't specify why they were messing with my connections.

      I wasn't phased really, in the end, I used another means to copy my documents off but still not every user would understand the implications of someone eavesdropping on a connection. Even an (apparent) secure/encrypted one...

      1. DropBear Silver badge

        Re: Makes sense

        Dropbox folder completely encrypted through EncFS. Gets around both this specific problem and snooping by the cloud host. Much less practical if you need to share any of those docs, but between different devices of mine it works fine. The original issue of being MitM-ed at all remains of course...

  5. Anonymous Coward
    Anonymous Coward

    uMatrix

    Or...you could simply check the box marked: "Strict HTTPS: forbid mixed content" in uMatrix.

  6. iwrconsultancy

    Dr Marvel's wonder liniment...

    "What I am not OK with is for my ISP to know which articles I read.."

    It's amazing how many people have unrealistic expectations about the security offered by HTTPS.

    It DOES NOT not prevent your ISP from tracking sites or pages you visit.

    It DOES NOT prevent advertisers from acting as MITM, and reading passwords you type into the main website. Or, even logging all keystrokes typed into the browser. It is a trivial piece of coding to demonstrate that this is still possible on an HTTPS site.

    It DOES NOT prevent the kind of mass password thefts we've seen so many of in the news recently. This is because the password is decrypted as soon as it arrives on the webserver. Just in time for a malicious process planted on that server to snaffle it.

    It DOES NOT correctly identify the source of the data you see in the browser. The 'padlock' info fails to mention that data is also being supplied under numerous other certificates, as well as the declared one.

    When HTTPS is used for its intended purpose (Protecting single-origin banking transactions) it does the job it was designed to do. It is not HTTPS which is at fault here. It is the hard-sell marketing hype which is the problem.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Dr Marvel's wonder liniment...

      >It DOES NOT not prevent your ISP from tracking sites or pages you visit.

      It does prevent ISPs from tracking pages. All the ISP sees is an encrypted connection to, say, a Wikipedia server. It has no idea which pages I'm reading.

      And I'm not so sure about your other claims, either.

      C.

      1. iwrconsultancy

        Re: Dr Marvel's wonder liniment...

        I stand corrected in that individual page hits cannot be tracked by a MITM. The full URL is not sent until after the SSL handshake. Site hits can though. As can the browser you are using and quite a lot of other info.

        Connections made when opening this page:

        Host: forums.theregister.co.uk:443

        Host: fonts.googleapis.com:443

        Host: nir.regmedia.co.uk:443

        Host: www.theregister.co.uk:443

        Host: www.googletagservices.com:443

        Host: clients1.google.com

        Host: regmedia.co.uk:443

        Host: fonts.gstatic.com:443

        Host: clients1.google.com

        Host: stats.g.doubleclick.net:443

        Host: a.dpmsrv.com:443

        Host: ib.adnxs.com:443

        Padlock info only shows a cert for theregister.co.uk -as if this is the only data source. The other sites are all SSL and therefore must use certs, but it's as if these certs do not exist.

        Since I can't access the cert info, I have no way of knowing if they are who they claim to be. (Not that I necessarily trust them all anyway!) One might well be a link inserted into an advert by a hacker, pointing to his own site using Let's Encrypt and serving a js keylogger. The browser would not flag any warning if that was the case.

        By no means the worst example, try a tabloid and there may be 50 connections, some to very dodgy sites.

        I don't know if elreg uses any special sandboxing of js or logins, but most sites do not. In which case any of these sites can crib the forum password.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019