Mozilla announces the death of unencrypted HTTP

Discussion in 'Industry News' started by lbft, May 1, 2015.

  1. lbft

    lbft New Member

    May 15, 2013

    Mozilla has posted an announcement to their security blog that they are deprecating plain HTTP without encryption. They plan to do that by:

    Presumably nothing will happen until after Let's Encrypt's free certs are available. Google's been leaning the same way for a while - the SPDY spec required SSL, for example, so I don't think anyone will be surprised if/when the Chrome guys make a similar announcement.

    This has widespread ramifications for the industry - it breaks many filtering/proxying methods, it means shared hosts must support SNI (and likely integrate Let's Encrypt), it means the end of accessing sites via IP address and it's going to make testing before deployment a pain in the ass. 
  2. telephone

    telephone New Member

    May 16, 2013
    Well that's a huge push for Let's Encrypt. Let's hope it lives up to the hype  :).

    Personally I won't be happy with Mozilla's decision until another large player/vendor offers free SSL (not StartCom or WoSign).
    Last edited by a moderator: May 1, 2015
  3. Francisco

    Francisco Company Lube Verified Provider

    May 15, 2013
    Globalsign never did call me back even after scheduling a meeting. At this point it's pretty safe to say most CA's are scrambling to figure out WTF they're going to do with LE mere months away.

    I don't see anyone else, besides cloudflare, doing it. MS might roll it out to their Azure users as a bonus but I don't see any other CA wanting to put up all the extra servers needed to handle all the requests and the bleed of whatever they do make. While Comodo is only charging ~$3.50/year each, it's still just selling a tiny bit of CPU time. There's no physical goods sold.


    telephone likes this.
  4. concerto49

    concerto49 New Member Verified Provider

    May 5, 2013
    Or maybe people will stop using Mozilla :) who knows.
  5. lbft

    lbft New Member

    May 15, 2013
    Let's Encrypt is cross-signed by a recognised CA so all existing browsers should accept its certs anyway - so life doesn't get any easier for the CAs in a world in which Firefox is dead.
  6. dave

    dave Member

    Sep 30, 2013
    Not everything needs to be encrypted, and websites are faster without it.  What they're doing is lame.
    sv01, howardsl2 and raindog308 like this.
  7. souen

    souen Active Member

    Jun 23, 2014
    Having mixed thoughts about it. On one hand, It's a bold move on Mozilla's part, leveraging a large userbase to push for a pseudo-standard change. If Chrome or Safari throw in their weight, it may well be a done deal (which in itself may or may not be a good thing, but that's another discussion.) The sites that care most likely already have it, the sites that don't will scramble to avoid the bad publicity of being outdated or scaring off users with a insecure site warning on their browsers (like untrusted certs).

    On the other, will it be a net advantage after all the trouble for all parties involved to transition? This is assuming SSL is still a secure model and that there's no evidence to suggest otherwise. 

    That day may still be a long way off, there's no timeline yet.
  8. KuJoe

    KuJoe Well-Known Member Verified Provider

    May 17, 2013
    It doesn't look like they are forcing us to use HTTPS, only that newer features will not work on non-HTTPS websites. As long as they don't force HTTPS I'm fine with it.
  9. KwiceroLTD

    KwiceroLTD New Member Verified Provider

    Mar 6, 2015
  10. joepie91

    joepie91 New Member

    Jun 19, 2013
    From an "open web" perspective, that is absolutely "forcing", in the form of extortion. If you don't comply with this X, you won't get Y.

    Anyhow, my take on this:

    TL;DR This is a bad idea, and many things need to be fixed before this kind of step can realistically be taken.
    drmike and souen like this.
  11. sv01

    sv01 Slow but sure

    May 17, 2013
    I'd like to see a warning " Secure Connection Failed, please use another browser and use HTTPS instead" when I browse to my local dev web server.  :popcorn:  :popcorn: 
  12. souen

    souen Active Member

    Jun 23, 2014
    This. My concern is that they may be making everyone use a broken system and hoping nothing happens to the root CAs. Maybe like their extensions signing announcement, it started with good intentions, but not sure if that's where it's headed.
  13. River

    River Member Verified Provider

    May 3, 2015
    This is really interesting, I wonder how long they will phase in this new standard as many sites - specifically older sites - are not on a secure connection. It seems like a huge transition to make, and it seems like lots of people have some SSL certificates to install :)
  14. tk-hassan

    tk-hassan New Member

    Mar 11, 2015
    It was always gonna happend some time.
  15. SentinelTower

    SentinelTower New Member

    Nov 25, 2014
    I wonder what "features" they are talking about. Is it about the latests things like websocket and such or are we talking about basic tasks like displaying a web page ?

    Anyone knows if it will be possible to generate certificates by submitting a CSR on Let's Encrypt or do we have to use their agent ?
  16. Gang Starr

    Gang Starr New Member

    May 9, 2015
    I totally support this move but in my opinion it shouldn't be pushed too fast. Decrypted traffic is a issue nowadays with the NSA and the other guys and maybe even your mother :p (hell back in the years it was on the old slow expensive Internet - oh god nostalgic memories).

    On my servers I usually redirect all HTTP traffic to HTTPs only if HTTPS is available.
  17. joepie91

    joepie91 New Member

    Jun 19, 2013
    The current proposal is to restrict any new feature that cannot be polyfilled - not just "security-sensitive" features. For example, had this been introduced a few years ago, you wouldn't have had the Shadow DOM or mutation observers - both of which are critical concepts in "frontend view engines" like Polymer, Angular 2.0, and other things built on the upcoming Web Components standard.

    So yeah, this is a big deal - it's not just about hardware access. It's about all new functionality. Some good suggestions were brought up in this Hacker News thread - personally, I'm a fan of getting rid of the "SSL warning" screens in browsers.
  18. drmike

    drmike 100% Tier-1 Gogent

    May 13, 2013
    Lots of breakage will ensue.

    Unsure why Mozilla is picking this battle really.   Not innovating and slagging browser share, so let's adopt a flawed "privacy" approach to own a niche ideally.

    I'm all for SSL-enabled everything, optionally and with graceful fallback.

    Whole thing along with another "free" SSL initiative seems to be market destruction.  Hardly free economy based on consumer outcomes, but rather big money and weirdo interests doing unsound things.
    Last edited by a moderator: May 9, 2015
    souen and telephone like this.
  19. QuadraNet_Adam

    QuadraNet_Adam Active Member Verified Provider

    Jul 17, 2014
    I still remember when I used Firefox many years ago, but once I tried Chrome I never looked back :)

    Are there any updates about the development of Let's Encrypt?
  20. tdale

    tdale Member Verified Provider

    Jul 27, 2014
    Chrome is dead Adam. I did the same and now im using FF for more things than Chrome now.

    k0nsl likes this.