Mozilla announces the death of unencrypted HTTP

[lbft]

https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/

Mozilla has posted an announcement to their security blog that they are deprecating plain HTTP without encryption. They plan to do that by:

1. Setting a date after which all new features will be available only to secure websites
2. Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.

Presumably nothing will happen until after Let's Encrypt's free certs are available. Google's been leaning the same way for a while - the SPDY spec required SSL, for example, so I don't think anyone will be surprised if/when the Chrome guys make a similar announcement.

This has widespread ramifications for the industry - it breaks many filtering/proxying methods, it means shared hosts must support SNI (and likely integrate Let's Encrypt), it means the end of accessing sites via IP address and it's going to make testing before deployment a pain in the ass. 

 

[telephone]

Well that's a huge push for Let's Encrypt. Let's hope it lives up to the hype  .

Personally I won't be happy with Mozilla's decision until another large player/vendor offers free SSL (not StartCom or WoSign).

 

[Francisco]

Globalsign never did call me back even after scheduling a meeting. At this point it's pretty safe to say most CA's are scrambling to figure out WTF they're going to do with LE mere months away.

Personally I won't be happy with Mozilla's decision until another large player/vendor offers free SSL (not StartCom or WoSign).

I don't see anyone else, besides cloudflare, doing it. MS might roll it out to their Azure users as a bonus but I don't see any other CA wanting to put up all the extra servers needed to handle all the requests and the bleed of whatever they do make. While Comodo is only charging ~$3.50/year each, it's still just selling a tiny bit of CPU time. There's no physical goods sold.

Francisco

Francisco

 

[concerto49]

Globalsign never did call me back even after scheduling a meeting. At this point it's pretty safe to say most CA's are scrambling to figure out WTF they're going to do with LE mere months away.


Francisco

Or maybe people will stop using Mozilla who knows.

 

[lbft]

Or maybe people will stop using Mozilla who knows.

Let's Encrypt is cross-signed by a recognised CA so all existing browsers should accept its certs anyway - so life doesn't get any easier for the CAs in a world in which Firefox is dead.

 

[dave]

Not everything needs to be encrypted, and websites are faster without it.  What they're doing is lame.

 

[souen]

Having mixed thoughts about it. On one hand, It's a bold move on Mozilla's part, leveraging a large userbase to push for a pseudo-standard change. If Chrome or Safari throw in their weight, it may well be a done deal (which in itself may or may not be a good thing, but that's another discussion.) The sites that care most likely already have it, the sites that don't will scramble to avoid the bad publicity of being outdated or scaring off users with a insecure site warning on their browsers (like untrusted certs).

On the other, will it be a net advantage after all the trouble for all parties involved to transition? This is assuming SSL is still a secure model and that there's no evidence to suggest otherwise. 

That day may still be a long way off, there's no timeline yet.

 

[KuJoe]

It doesn't look like they are forcing us to use HTTPS, only that newer features will not work on non-HTTPS websites. As long as they don't force HTTPS I'm fine with it.

 

[KwiceroLTD]

Finally.

 

[joepie91]

It doesn't look like they are forcing us to use HTTPS, only that newer features will not work on non-HTTPS websites. As long as they don't force HTTPS I'm fine with it.

From an "open web" perspective, that is absolutely "forcing", in the form of extortion. If you don't comply with this X, you won't get Y.

Anyhow, my take on this: http://cryto.net/~joepie91/blog/2015/05/01/on-mozillas-forced-ssl/

TL;DR This is a bad idea, and many things need to be fixed before this kind of step can realistically be taken.

 

[sv01]

I'd like to see a warning " Secure Connection Failed, please use another browser and use HTTPS instead" when I browse to my local dev web server.  opcorn:  opcorn: 

 

[souen]

From an "open web" perspective, that is absolutely "forcing", in the form of extortion. If you don't comply with this X, you won't get Y.

Anyhow, my take on this: http://cryto.net/~joepie91/blog/2015/05/01/on-mozillas-forced-ssl/

TL;DR This is a bad idea, and many things need to be fixed before this kind of step can realistically be taken.

This. My concern is that they may be making everyone use a broken system and hoping nothing happens to the root CAs. Maybe like their extensions signing announcement, it started with good intentions, but not sure if that's where it's headed.

 

[River]

This is really interesting, I wonder how long they will phase in this new standard as many sites - specifically older sites - are not on a secure connection. It seems like a huge transition to make, and it seems like lots of people have some SSL certificates to install

 

[tk-hassan]

It was always gonna happend some time.

 

[SentinelTower]

I wonder what "features" they are talking about. Is it about the latests things like websocket and such or are we talking about basic tasks like displaying a web page ?

Anyone knows if it will be possible to generate certificates by submitting a CSR on Let's Encrypt or do we have to use their agent ?

 

[Gang Starr]

I totally support this move but in my opinion it shouldn't be pushed too fast. Decrypted traffic is a issue nowadays with the NSA and the other guys and maybe even your mother (hell back in the years it was on the old slow expensive Internet - oh god nostalgic memories).

On my servers I usually redirect all HTTP traffic to HTTPs only if HTTPS is available.

 

[joepie91]

I wonder what "features" they are talking about. Is it about the latests things like websocket and such or are we talking about basic tasks like displaying a web page ?

Anyone knows if it will be possible to generate certificates by submitting a CSR on Let's Encrypt or do we have to use their agent ?

The current proposal is to restrict any new feature that cannot be polyfilled - not just "security-sensitive" features. For example, had this been introduced a few years ago, you wouldn't have had the Shadow DOM or mutation observers - both of which are critical concepts in "frontend view engines" like Polymer, Angular 2.0, and other things built on the upcoming Web Components standard.

So yeah, this is a big deal - it's not just about hardware access. It's about all new functionality. Some good suggestions were brought up in this Hacker News thread - personally, I'm a fan of getting rid of the "SSL warning" screens in browsers.

 

[drmike]

Lots of breakage will ensue.

Unsure why Mozilla is picking this battle really.   Not innovating and slagging browser share, so let's adopt a flawed "privacy" approach to own a niche ideally.

I'm all for SSL-enabled everything, optionally and with graceful fallback.

Whole thing along with another "free" SSL initiative seems to be market destruction.  Hardly free economy based on consumer outcomes, but rather big money and weirdo interests doing unsound things.

 

[QuadraNet_Adam]

I still remember when I used Firefox many years ago, but once I tried Chrome I never looked back

Are there any updates about the development of Let's Encrypt?

 

[tdale]

Chrome is dead Adam. I did the same and now im using FF for more things than Chrome now.

I still remember when I used Firefox many years ago, but once I tried Chrome I never looked back

Are there any updates about the development of Let's Encrypt?