Sign in / up

back to article Mozilla users >50% HTTPS

More than half of Mozilla users are now using HTTPs. Mozilla developer Josh Aas says the browser baron's telemetry reveals more than 50 percent of page requests were made via HTTPS, an effort helped along by the Let's Encrypt initiative which hands out free HTTPS certificates. Aas says it was the first time the benchmark had …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. heyrick Silver badge

    to help rub out man-in-the-middle

    Absolutely not. If you go to a number of public wifi hotspots (such as a KFC near me), it'll try and pass off a dodgy certificate on you the moment you hit an HTTPS site. That's an intentional deliberate MITM.

    That is why my website is either HTTP or HTTPS (your choice). Though it seems Google index tools can't handle an "or" choice, so I have it being indexed twice - one with, one without.

    Now take a moment to contemplate the nastiness of passing off a certificate to allow the AP to snoop on https, what that entails, and how much it is wilfully breaking the supposed "trust" in the little padlock symbol. No doubt because...piracy...

    5 1 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: to help rub out man-in-the-middle

      That's why my site is HSTS (strict), and keys pinned. If there are any shenanigans it just fails. No option to bypass using a dodgy cert, or firesheeped into using http.

      0 0 Reply
      1. FIA Silver badge
        Reply Icon

        Re: to help rub out man-in-the-middle

        That's why my site is HSTS (strict), and keys pinned. If there are any shenanigans it just fails. No option to bypass using a dodgy cert, or firesheeped into using http.

        I'm not sure that'd help in this instance would it? Once you've trusted the fake root CA the proxy can intercept what it likes.

        Chrome does not perform pin validation when the certificate chain chains up to a private trust anchor. A key result of this policy is that private trust anchors can be used to proxy (or MITM) connections, even to pinned sites. “Data loss prevention” appliances, firewalls, content filters, and malware can use this feature to defeat the protections of key pinning.

        1 0 Reply
  2. biscuit
    Happy

    Speaking of which, when is The Register moving over to https? Just in case you weren't aware, it's free to get a certificate...

    9 0 Reply
    1. Marco Fontani
      Reply Icon

      Please point me to where is it free to get a wildcard certificate accepted by all browsers </snark>

      To actually answer you, we're working on it… but it's not as easy as pushing a button :)

      We're currently in the process of "conservatively slowly" migrating one critical piece of our infrastructure to https for all users, and we're doing it for ~1‰ of our user base every ~10 minutes (mobile sites are already using the https version since ~Friday afternoon).

      We're _very_ conservative when it comes to doing big changes like this (i.e. TLS, IPv6, etc). Our users deserve things done right (even if quite a bit late) rather than hastily done and full of creepy crawlers!

      3 0 Reply
      1. Poncey McPonceface
        Reply Icon

        Jolly good show. Superb news.

        2 0 Reply
      2. heyrick Silver badge
        Reply Icon

        mobile sites are already using the https version since ~Friday afternoon

        ?

        Going to https://m.theregister.co.uk/ quietly redirects me to the non SSL version.

        Firefox, Android 5.something.

        0 0 Reply
        1. Marco Fontani
          Reply Icon

          Re: mobile sites are already using the https version since ~Friday afternoon

          Going to https://m.theregister.co.uk/ quietly redirects me to the non SSL version.

          Yup, as it should - as it's not available (yet) over https. Never claimed it was. A critical part of the mobile pages now loads over https, though - not the pages themselves.

          0 0 Reply
  3. Digitall

    You'd think some may know better

    Microsoft STILL don't use HTTPS for their Update Catalog even though this is now open to most mainstream browsers!

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon