HTTP SOL
May 1, 2015 12:09 PM   Subscribe

Mozilla is moving to deprecate support of HTTP:

After a robust discussion on our community mailing list, Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web. There are two broad elements of this plan:
* Setting a date after which all new features will be available only to secure websites
* Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.

posted by Chrysostom (84 comments total) 21 users marked this as a favorite
 
For fucks' sake...
posted by wotsac at 12:24 PM on May 1, 2015 [3 favorites]


Mozilla: We're Relevant, Dammit!
posted by NoxAeternum at 12:29 PM on May 1, 2015 [5 favorites]


This is pretty dumb given the current state of tls certs and the braindead way self-signed certs are handled.
posted by ryanrs at 12:30 PM on May 1, 2015 [39 favorites]


well this is dumb.
posted by boo_radley at 12:30 PM on May 1, 2015


I mean, it seems like a really good idea, security-wise, but it kind of leaves folks like me in the lurch. Am I going to have to pay the SSL cert extortion fee? Will they support a move to create a low-cost or free method of validating self-signed certificates for the hobbyist and home users out there?
posted by caution live frogs at 12:31 PM on May 1, 2015 [19 favorites]


I wonder how they're going to deal with the EULA pages that free wifi providers at, like, airports use - the ones that intercept the first request. the UX already isn't great when all you want to use is an app like maps or something, but it's really really bad when you get a cert error because of the MITM attack that's happening that you want/need to happen so you can get at the damn wifi.
posted by Fraxas at 12:31 PM on May 1, 2015 [11 favorites]


caution live frogs,

I get my SSL cert for $5/year - so at least the extortion fee isn't *that* high.
posted by Fraxas at 12:31 PM on May 1, 2015 [2 favorites]


Because our five page long blogs all need $75/yr SSL certificates.
posted by pan at 12:32 PM on May 1, 2015 [6 favorites]


If you've given a non-HTTPS page (say, ma.ps) access to a sensitive API (such as geolocation) and visit a café with a rogue WiFi, the café owner will be able to inject traffic that pretends to ma.ps, thus gaining access to the sensitive API, pinpointing the location of his café with high accuracy.

> Am I going to have to pay the SSL cert extortion fee?

That's going away.
posted by you at 12:33 PM on May 1, 2015 [15 favorites]


Fraxas, please point me to the $5 SSL certs, I need several!
posted by quonsar II: smock fishpants and the temple of foon at 12:34 PM on May 1, 2015 [1 favorite]


Fraxas, think about stuff like updating the cert on your home router's settings page every year. Or your TV. There are a lot of little web servers around without the infrastructure to handle certs, even when the certs themselves are free.
posted by ryanrs at 12:35 PM on May 1, 2015 [8 favorites]


Quonsar, I get free 1 year certs from startssl.com.
posted by ryanrs at 12:36 PM on May 1, 2015 [4 favorites]


Looking at Wikipedia's stats, Safari and Chrome seem to have made Firefox defunct. Funny that.
posted by a lungful of dragon at 12:37 PM on May 1, 2015


Sigh. This made the rounds on Hacker News yesterday. To head off some common complaints:
  • They're talking about deprecating plaintext HTTP, not removing support for it.
  • There are good reasons for this. When they say "browser features", what they're mainly talking about are privacy-sensitive things like geolocation, or access to your microphone and webcam. For obvious reasons, these features require the user to explicitly provide permission. But if they're used on an http:// site, you have no idea who you're granting permission to. That code could have been modified by your ISP, or your government, or whoever set up the wi-fi at the coffee shop you're sitting in, or just any random person on your local network.
  • This is not a hypothetical problem; ISPs (including Comcast) have already demonstrated that they're willing to hijack your plaintext connections to inject ads.
  • HTTPS is becoming cheaper and easier to set up. This move is being done in conjunction with the Let's Encrypt project, which aims to make SSL certificate setup free and effortless. If you don't want to wait for that to take off, you can already get free certificates from StartSSL.
  • Yes, the CA architecture has problems. No, nobody's come up with anything else that works as well.
  • Mozilla isn't doing this unilaterally; Chrome has already announced similar plans in the last few months.
  • For development purposes, "localhost" will continue to be treated as secure. If that isn't good enough, creating your own internally-trusted CA is probably a lot easier than you're imagining.
  • The fact that they're talking about this now doesn't mean it's going to happen soon. Browser vendors are very serious about doing slow, methodical, careful rollout plans, even for much tinier compatibility issues than this one.
Anything else?
posted by teraflop at 12:37 PM on May 1, 2015 [121 favorites]


For development purposes, "localhost" will continue to be treated as secure

Man I wish Chrome would do this.
posted by aubilenon at 12:40 PM on May 1, 2015 [1 favorite]


For development purposes, "localhost" will continue to be treated as secure

I was told all the best warez was at 127.0.0.1
posted by kmz at 12:41 PM on May 1, 2015 [20 favorites]


Or maybe they're talking about unencrypted connections to localhost being treated as secure, while https to localhost with a self-signed cert will continue to be shitty
posted by aubilenon at 12:42 PM on May 1, 2015


I wonder how they're going to deal with the EULA pages that free wifi providers at, like, airports use

This is called captive portal detection. Android and ChromeOS do it by making a test request to a known "no-op" HTTP URL; it looks like Firefox will be doing something similar.

Man I wish Chrome would do this.

That's the plan.
posted by teraflop at 12:44 PM on May 1, 2015 [4 favorites]


Google has been making noise about giving preference to https-only sites for some time, this helps that along a little bit. (They've already started to point out non-mobile-friendly sites in search results.)

Really excited to see encryption become default for everything--once the tyranny of certificate providers gets toppled a bit that should help. The real stumbling blocks, as always, are going to be ads and marketing. Some SaaS sites don't play well with https connections either, so that should be fun.
posted by fifteen schnitzengruben is my limit at 12:53 PM on May 1, 2015


When you think about it, it's kind of funny that they put all these warning icons and red Xs on HTTPS web sites that have less than optimal security, but put no warning at all on unsecured sites.
posted by smackfu at 1:00 PM on May 1, 2015 [7 favorites]


There's good reasons to care about this even if you don't mind being spied on. For example, encrypting http traffic prevents wi-fi providers from injecting ads into your web pages, and it can help stop your ISP/government from using your browser to DDOS dissenting websites.
posted by rustcrumb at 1:12 PM on May 1, 2015 [5 favorites]


This is one of those things that are good "In Theory" Like Perl 6...
posted by mikelieman at 1:22 PM on May 1, 2015 [3 favorites]


Unless you're auditing your CAs on a regular basis, SSL doesn't make anything truly secure. It just means that casual eavesdropping will be significantly reduced.

And I don't expect it is a coincidence that I saw this story WHILE debugging an SSL/TLS issue.
posted by blue_beetle at 1:23 PM on May 1, 2015 [1 favorite]


I've figured we'd end up with a push for https everywhere... and I'd say it's overall a good thing (without disputing any point above the CA infrastructure having issues.) Some time in the next few years we'll hit a tipping point where ordinary web users will have seen enough headlines about this that they'll end up thinking "https good, http bad" and then it'll snowball fast.
posted by Zed at 1:26 PM on May 1, 2015


Dammit, I like being able to troubleshoot things by connecting via telnet to port 80 and issuing GET statements.
posted by rmd1023 at 1:30 PM on May 1, 2015 [6 favorites]


> There are good reasons for this. When they say "browser features", what they're mainly talking about are privacy-sensitive things like geolocation, or access to your microphone and webcam.

The word “mainly” in this sentence is impossible to ignore.

To quote the blog post, this is a two-pronged attack:
  1. Setting a date after which all new features will be available only to secure websites
  2. Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.
You're addressing point #2. It absolutely makes sense to gradually phase out webcam access, geolocation, and other such hardware access unless the site is using HTTPS. I am on board with that. (Though note that even here they're reserving the right to phase out other existing features as well, even those that have no security/privacy implications.)

Point #1, though, is about phasing out all new features — for some definition of “new,” but apparently a definition that includes even innocuous stuff like new CSS filters.

In other words, they want to go beyond feature deprecation over HTTP for the sake of security; they want to deprecate certain features over HTTP for no other reason than to force you to switch to HTTPS.

That is where they lose me.
posted by savetheclocktower at 1:31 PM on May 1, 2015 [5 favorites]


Whom can I trust to tell me whom I can trust?

Serious question.
posted by sidereal at 1:32 PM on May 1, 2015 [2 favorites]


> Unless you're auditing your CAs on a regular basis, SSL doesn't make anything truly secure. It just means that casual eavesdropping will be significantly reduced.

What, is the NSA your personal boogeyman? Because ubiquitous SSL/TLS would make life harder for them, and it would also stop random people at coffeeshops and ISPs from snooping your traffic and injecting ads.
posted by Pronoiac at 1:35 PM on May 1, 2015


I'm going to miss being silently smug about using Lynx a lot.
posted by sidereal at 1:36 PM on May 1, 2015 [5 favorites]


I remember similar anger when sites started turning off telnet and forcing people to use ssh.
Luckily Mozilla is also (in part) behind this effort to make it easy to get and use SSL certs. I'd wait to see how that turns out before panicking.

PS: If you are still using an Apple or Microsoft product to surf the web, you may have bigger SSL related issues to worry about.
posted by Poldo at 1:43 PM on May 1, 2015 [1 favorite]


I'm going to miss being silently smug about using Lynx a lot.

If I recall correctly, Lynx can be built with SSL/TLS support... or is there something else I'm missing?
posted by weston at 1:46 PM on May 1, 2015


Well, my applet-heavy site is a pain to use because no Cert, and I will soon try setting up the free one suggested above.

I kept seeing $200/year for a cert, and so punted.
posted by hexatron at 1:53 PM on May 1, 2015


...I have no idea how to fix my personal sites to make this work. And if it's $75/year for the certs, then I guess the whole idea is "how can we make it worse for freaking everyone who has their own personal site.

(I just checked my hosting provider, and it would be $15/year for the certs, in addition to the registration renewal, plus the hosting costs. I almost had to lose a domain due to not being able to easily afford it, but kept it. That SSL charge would be a deal breaker for some things, if I wasn't employed.)
posted by mephron at 1:55 PM on May 1, 2015


Dammit, I like being able to troubleshoot things by connecting via telnet to port 80 and issuing GET statements.

You'll still be able to do this via a command-line SSL client.

Like this.
posted by jammer at 1:59 PM on May 1, 2015 [8 favorites]


To reiterate: Mozilla is not turning off support for plaintext HTTP. They are planning to use new features as an incentive to switch to HTTPS, and in the future they might change some existing HTML5 features to require HTTPS where the security benefits outweigh the compatibility risk. They are not going to turn off HTTP wholesale.
posted by teraflop at 2:02 PM on May 1, 2015 [2 favorites]


I just checked my hosting provider, and it would be $15/year for the certs,

As people have said, you can get your own cert for free with StartSLL, and apparently there's some other initiative to also give away free certs. It's still a bit of a hassle, but since the whole point is you have to somehow demonstrate you control the resources you're signing, it would be very difficult to ever make it super convenient. But at least it only costs time, and not also money.
posted by aubilenon at 2:05 PM on May 1, 2015


If I recall correctly, Lynx can be built with SSL/TLS support... or is there something else I'm missing?

Possibly - I haven't researched it in a while. Doesn't address the point of the FPP though, sorry for the derail

Also,

Unless you're auditing your CAs on a regular basis, SSL doesn't make anything truly secure.

this.
posted by sidereal at 2:36 PM on May 1, 2015


You can also do SSL with a pre shared key if you don't wanna do certs. I mean, that doesn't help for your public blog, but for your home web server that you do your geeking out on it suffices.
posted by Annika Cicada at 2:38 PM on May 1, 2015


Or you could learn to set up your own CA server and make your self-signed CA certs available from your home webserver. Then you can learn how trivially easy it to do SSL MITM on your kids. Then become horrified when you consider the political motivations nation-states have to do this on a much grander scale...
posted by Annika Cicada at 2:41 PM on May 1, 2015 [7 favorites]


Whom can I trust to tell me whom I can trust?

Serious question.
posted by sidereal at 1:32 PM on May 1 [+] [!]


Literally no one. Here's why.

but uh yeah. at root, it's all guesswork. Trust is a social problem, not a technical one.
posted by You Can't Tip a Buick at 2:52 PM on May 1, 2015 [3 favorites]


What, is the NSA your personal boogeyman? Because ubiquitous SSL/TLS would make life harder for them

well...not if the NSA has secret unknowable laws forcing CAs to hand over keys *and* forbidding them from telling anyone.

That said, SSL/TLS is good to keep the petty criminals and ad-men out of your traffic. But that word 'Secure' in Secure Socket Layer? I don't think that word means what you think it means.
posted by j_curiouser at 3:14 PM on May 1, 2015 [1 favorite]


Let’s Encrypt is not a blanket answer, although it is already mentioned by several here. This is what Sven Slootweg (joepie91) had to say about it:
[Let’s Encrypt] will also - at least, initially - only offer basic domain-validated, multi-host certificates. It is apparently undecided as of yet whether wildcard domains will be supported. Other scenarios may also not be supported.
The rest of his reaction to forced SSL is a good read as well.
posted by Martijn at 3:14 PM on May 1, 2015 [2 favorites]


This is called captive portal detection.

Which is literally the most unreliable thing ever written in the history of software. Is there a RFC standard for captive portals? There should be. They all do something different and they all break in different crazy-making ways.
posted by GuyZero at 3:22 PM on May 1, 2015 [1 favorite]


I was wondering when someone would link Ken Thompson's 1984 "Reflections on Trusting Trust", which remains devastatingly cogent.

Still, there's Bruce Schneier's 2006 "Countering 'Trusting Trust'" which offers some hope.
posted by sidereal at 3:39 PM on May 1, 2015 [4 favorites]


I know. Let's make the web even slower and less accessible.

That'll work.
posted by clvrmnky at 3:45 PM on May 1, 2015 [1 favorite]


"If it costs my developers 15 minutes a week of lost productivity then your security upgrades aren't worth it."*

~Shrug~, it's your company.

*not a made up quote
posted by djeo at 3:49 PM on May 1, 2015


I didn't want to sound like a shill, so I didn't put a link to my $5/yr cert in my initial comment on the subject - but since it's been asked for, I'll say I got it from ssls.com. It was cheap enough it actually made my credit card company check with me that it was me that did the charge (it was).
posted by Fraxas at 4:29 PM on May 1, 2015


I'm going to miss being silently smug about using Lynx a lot.

Yeah, standard builds of Lynx have supported HTTPS for ages. I'm looking at my site in it right now.

Sigh. This made the rounds on Hacker News yesterday. To head off some common complaints:

Thank you. Jesus. I was all about to rage about how brutally short-sighted and head-in-the-sand this thread seemed determined to go for some reason.

Yeah, SSL sucks. It sucks a lot. It has a terrible trust model and the CA thing is horribly broken on both a political and technical level. We still don't have a better option, and we're not going to get one until the incentives drive people down the path of actually dealing with the problem. If you're a technical person and you are in here being like "this is stupid why can't I plaintext", you are wrong and you are part of the problem.

Argh.
posted by brennen at 4:33 PM on May 1, 2015 [6 favorites]


Ok so it's been a long day and I had a couple of beers before I came in here and I'm going to go outside before I flame out at anything else.
posted by brennen at 4:39 PM on May 1, 2015


Thank you. Jesus. I was all about to rage about how brutally short-sighted and head-in-the-sand this thread seemed determined to go for some reason.

For what it's worth, as somebody who works there, this is the hardest part of developing and decision-making in the open. People half-hear things third-hand, start by assuming stupidity and bad faith and then show up in your inbox in astonishing numbers to tell you so, pretty much every day forever.

Mozilla's not perfect or infallible, for sure. But this kind of thing is a handful of extra pebbles in your shoes every day, and we've got a hell of a hill to climb.
posted by mhoye at 5:05 PM on May 1, 2015 [7 favorites]


This news hit Slashdot a while back and there were predictably many knees a-jerking as though HTTP were about to be auto-disabled overnight. As a broad long-term policy decision it makes sense though. It would be interesting to see investigation into the potential for other practical, secure protocols too.

I find some Mozilla actions odd or hard-to-grok, especially since I stopped following numerous related blogs, but I trust them infinitely more than any other organisation working in the internet space.
posted by comealongpole at 5:26 PM on May 1, 2015 [3 favorites]


I was told all the best warez was at 127.0.0.1

Yeah, but it seems like everything I already own. Weird.
posted by jwest at 6:18 PM on May 1, 2015 [1 favorite]


Uhm, http *IS* still used. Secure or not, deprecation is not a very intelligent move, for a whole browser.
posted by Grease at 7:28 PM on May 1, 2015


See what I mean?
posted by mhoye at 7:35 PM on May 1, 2015 [7 favorites]


If it makes you feel any better mhoye, I also talk shit about DNS security.
posted by ryanrs at 8:06 PM on May 1, 2015


Nothing about DNS security has ever made anyone feel better about anything.
posted by mhoye at 8:35 PM on May 1, 2015 [7 favorites]


I'm on board with this. I have a (small, mostly-blog) personal site that I know I should move to HTTPS-only. SSL certificates can be had for free or nearly so.

What isn't free or even cheap is getting a dedicated, static IP from my hosting company (hostmonster, as it happens). I understand this to be a pre-requisite for using HTTPS for my site. (Snowflake: Everything is under a domain that I own, not http[s]://example.org/~sourcequench/ or something.)

(If I'm being clue-deprived, please apply the wire brush of enlightenment.)
posted by sourcequench at 8:59 PM on May 1, 2015


What I'd really like to see for bowsers to handle self-signed more like how SSH handles ALL certs, where the first time it says "hey I don't know about this cert" and you can say "it's fine for this host" and then if it changes it will get all up in your face, but otherwise it will keep quiet.
posted by aubilenon at 9:10 PM on May 1, 2015


DANE isn't perfect but it sure would be nice to have better way to self-certify. The Certificate Authorities have proven to be awful caretakers of the public trust and a better model is needed.
posted by Nerd of the North at 9:35 PM on May 1, 2015


Sourcequench, SNI works for hosting multiple SSL domains on a single IP. Works with browsers that aren't old Windows and Android versions.

(btw a dedicated IP should cost something like $1/mo, right?)
posted by ryanrs at 9:46 PM on May 1, 2015 [2 favorites]


Also apparently there are no truly free SSL cert services. Startssl charged people $25/cert to revoke free certs during Heartbleed (what dicks).
posted by ryanrs at 9:48 PM on May 1, 2015 [1 favorite]


I can see how this specific move might be a good idea, but FireFox is moving more and more away from "the browser that lets people do what they want" toward "yet another browser with lot of opinions about how I should use the web". They'll have to do a lot to make me switch away, and they seem to be very ambitious about accomplishing that.
posted by benito.strauss at 10:43 PM on May 1, 2015 [5 favorites]


Thanks for the pointer to SNI, ryanrs. That is indeed just the ticket for SSL on a shared IP. (For those playing along, say you've got multiple domains sharing one web server with one IP. Normally, the web server looks at the hostname in the HTTP request to know what site to serve up. With HTTPS, there's a chicken-and-egg problem as the hostname is in the encrypted part. The server doesn't know which certificate to present without knowing the hostname, and can't get the hostname until it negotiates SSL, which requires the right certificate. SNI gives the server the hostname in the clear, early enough in the process to help.)

Now, Hostmonster claims not to support SNI, which is suspicious as they use Apache and cpanel versions which do support it. Time for some pointed questions to support. (They want $4/mo. for static, which isn't ruinous but is galling when it’s so totally unnecessary.)
posted by sourcequench at 5:37 AM on May 2, 2015 [1 favorite]


FireFox is moving more and more away from "the browser that lets people do what they want" toward "yet another browser with lot of opinions about how I should use the web".

I should disclaim this by saying I'm not a high-level manager or policy-maker at Mozilla, so these opinions may not represent and so forth.

There's some discussion to be had around "freedom from" and "freedom to", here maybe. For example, for a long time there weren't rules about what side of the road you drive on. It just wasn't necessary. Over time that changed, obviously, and the rules of the road we have now make driving much safer, and that safety facilitates more real freedom for everyone than having no rules would.

The risks and realities of the modern web are very different than they were 20 years go, and it's reasonable - and should be expected, in my opinon - that the web's rules of the road should have to grow and adapt as well. We're committed to a free and open Web, and part of that freedom involves freedom from getting arbitrarily screwed over by malicious actors. Some of whom in this modern age are well-funded criminal organizations, some of whom are multibillion-dollar companies, and some of whom are nation-states.

This is one of the reasons we're getting involved in advertising on the web, too. Not because we want to stuff Firefox full of commercials, but because the advertising that pays for the modern Web is intrusive as hell, has no regard whatsoever for user privacy, and periodically turns into a malware infection vector without warning. We think that we can show the world that advertising can be Done Right, in a way that gives people a more useful experience that's respectful of their privacy and choices, and lets users have more of a say in that interaction rather than "none" that's currently on the menu.

To some extent, you're right that we have a lot of opinions about how you should use the web - that's the nature of software, really, it's all just a bunch of decisions about how to change the state of your machine that you've delegated to whoever wrote it - but as far as Firefox is concerned those opinions are mostly that you should feel happy and secure browsing the Web day to day, to have real choices about where you go and what you information you share, that you should be able to participate in the Web without having to ask permission, and that you be empowered to do more, up to and including being a part of Mozilla and modifying Firefox itself, if you choose.
posted by mhoye at 7:09 AM on May 2, 2015 [5 favorites]


> What I'd really like to see for bowsers to handle self-signed more like how SSH handles ALL certs, where the first time it says "hey I don't know about this cert" and you can say "it's fine for this host" and then if it changes it will get all up in your face, but otherwise it will keep quiet.

Isn't this what certificate pinning already does?
posted by Bangaioh at 9:20 AM on May 2, 2015


When you think about it, it's kind of funny that they put all these warning icons and red Xs on HTTPS web sites that have less than optimal security, but put no warning at all on unsecured sites.

It's pretty consistent, I think. Unsecured sites make no claim to security, authenticity or privacy, whereas sites with self-signed certs or other blatant TLS fails are claiming to be secure while being equivalent to unsecured.

What I'd really like to see for bowsers to handle self-signed more like how SSH handles ALL certs, where the first time it says "hey I don't know about this cert" and you can say "it's fine for this host" and then if it changes it will get all up in your face, but otherwise it will keep quiet.

SSH fingerprints are supposed to be verified out of band. Otherwise, you have no idea who you're communicating with. There's no CA system like with TLS. If you ask, "How do I authenticate the other end of my SSH connection?", SSH pretty much just shrugs and says, "dunno, you figure it out". And without authentication, encryption is pointless; you have no guarantee that both of you aren't just communicating through a hostile intermedidary that is supplying their own keys. Self-signed TLS certs out on the open internet should absolutely be a red flag. If you know enough about TLS to do the self-signed cert thing competently, then you should already know how to get your browser to trust your cert.
posted by indubitable at 10:19 AM on May 2, 2015


Self-signed TLS certs out on the open internet should absolutely be a red flag.

Yeah, well I'm not talking about the open internet. I'm talking about localhost, test setups, and home appliances. I still want to use them, and I want my browser to remember that I don't care even though the cert is dumb or expired or whatever.

Isn't this what certificate pinning already does?

I dunno. I can't find anything for chrome that does this, but maybe I'm just bad at looking.
posted by aubilenon at 12:01 PM on May 2, 2015


Now, Hostmonster claims not to support SNI, which is suspicious as they use Apache and cpanel versions which do support it.

I'm on a VPS instance in Linode's newark center running Centos 7, and I'm not a CPanel user.

I use a reverse proxy ( haproxy ) to read the SNI at the server level when it comes in and throw it an IP address/port combination of a docker instance running apache + whatever stack is needed for the app.

From apache in the container's pov, it just gets traffic for itself...
posted by mikelieman at 1:36 PM on May 2, 2015


It's definitely possible a shared hosting provider wouldn't bother with SNI since some customers would complain if old browsers didn't work. And if they're gouging people $4/mo for an ip, that's plenty of incentive, too, heh.
posted by ryanrs at 3:43 PM on May 2, 2015


We think that we can show the world that advertising can be Done Right, in a way that gives people a more useful experience that's respectful of their privacy and choices, and lets users have more of a say in that interaction rather than "none" that's currently on the menu.

Is "Don't show me any ads" on the menu?
posted by sidereal at 5:39 PM on May 2, 2015 [4 favorites]


It's definitely possible a shared hosting provider wouldn't bother

Oh, I *bet* that shared hosting providers don't bother, and at $4.00 a month for the solution there's a hell of a disincentive to modernize...

( FWIW, Linode is a buck a month per additional IP address... )
posted by mikelieman at 7:37 PM on May 2, 2015


Man I miss gopher (I know it's kind of clinging to life support in pockets of the network but still...)
posted by mcrandello at 10:51 PM on May 2, 2015


Further up, teraflop summarized some HN comments about this change. One of the comments that really caught my attention (and now of course I can't find it) was that SSL certs used to be to verify a person/organization. But that's time/labor intensive, so all of the cheap ones merely attempt to verify domain ownership (usually via email to a whois address or having a specific A record added). Change the domain registration process to require that a SSL cert be included for all (as opposed to the $2+/yr upsell that some registrars do).

Once every domain, by default, comes with an SSL cert, there's no reason not to (aside from shitty hosts/technical ineptitude). But lets say you have a wordpress.com blog and want to get your own domain. Now you'll get an SSL cert with it and hopefully wordpress.com (and other decent hosts) will include this in part of the setup process of your own domain and it will be relatively painless. Or maybe you just register the domain from wordpress.com and they give you the cert for free and it's all done for you.
posted by Brian Puccio at 7:40 AM on May 3, 2015


@indubitable, self-signed certificates aren't really actually insecure. The fear is that it might be a MiTM attack or a fake, etc.

I guess what I mean is, it's more of the fear for potential disaster than actual definitive danger.

A lot of older sites still haven't even optimized for anything other than Mozaic and Trident engines, much less ready to buy an ssl/tls certificate.

I do find the free SSL service to be incredibly helpful, it seems; before, I wonder, however, how it will affect analytical and advertisement-related businesses. Most of these go through HTTP. Even youtube streams or used to stream its actual video content through HTTP, when you were or are on HTTPS version of the site, included. I wouldn't be sad to lose analytics, but this move probably would require a massive transition by both the new generation of sites, and the ancient ones, to use SSL. Maybe not all bad, but it needs participation - it's not a one-person game. We will see what happens.
posted by Grease at 8:23 AM on May 3, 2015


@indubitable, self-signed certificates aren't really actually insecure. The fear is that it might be a MiTM attack or a fake, etc.

I'm not real clear on how your first statement follows from your second. Because you can't establish authenticity, your connection is wide open to any active MiTM attack... but somehow they "aren't really actually insecure", because... magic? I don't recall if it's been specifically mentioned in this thread, but there are already documented cases of Comcast intercepting traffic to HTTP sites and injecting their own ads into them, so this is hardly a theotretical concern even to your typical blogger/webmaster who's just trying to sell eyeballs to advertisers.
posted by indubitable at 11:02 AM on May 3, 2015


@indubitable - Perhaps because most most places where self signed certs are used in good faith, their validity can be verified out of band?
posted by wotsac at 9:22 PM on May 3, 2015 [1 favorite]


"all of the cheap ones merely attempt to verify domain ownership"

so to exploit the users of my website, someone can just jump on the domain, which suffices for the ssl provider, nice
posted by idiopath at 8:30 AM on May 4, 2015


Is "Don't show me any ads" on the menu?

It is not.

While we can quite happily let users install Adblock Plus or use FlashBlock instead of just setting Flash to click-to-play - and those addons are great, I sure love them - The reality of the situation is that right now, today, most of the free-as-in-not-paying-money Web is supported by ads. The reason no major web browser has yet - or will - declare itself to be "ad free" is that if one did, then every site in the world that relies on ad revenue will immediately redirect 100% of the users of that browser to a page saying "browser X is unsupported. If you want to see our site, use browser Y instead!"

It turns out that just about zero people want to use a web browser. What people want is to look at websites, and they'll generally jump through whatever hoops they need to to look at the websites they want to look at. We know that this is true from the number people who already jump through hoops that are basically on fire and surrounded by warning lights and blaring sirens that they ignore, so that they can watch movies from dodgy piracy sites and end up 0wned in the process. So they'll install whatever competing browser they need to install, and the browser touting "no ads" as a tier-1 default-to-on feature will very quickly see its market share driven to zero.

To be clear, I don't think this is inherently bad; if ads make the Web more widely available and accessible to more people, that's a net (haha) positive even if we can improve on the situation. Consensus and incremental improvement is hard and slow, sure, but a Web where one browser vendor can enforce policy by unilateral action is not the Web we want, and maybe isn't the Web at all.
posted by mhoye at 9:03 AM on May 4, 2015 [4 favorites]


where the first time it says "hey I don't know about this cert" and you can say "it's fine for this host" and then if it changes it will get all up in your face, but otherwise it will keep quiet.

The tricky part is telling the difference between a certificate that is replaced for good reasons and one that is replaced for bad. It's easy on a server you are SSHing to, where the certificate is basically never replaced.
posted by smackfu at 9:18 AM on May 4, 2015


> It turns out that just about zero people want to use a web browser.

That sounds about right. My interest group is often considered to constitute a rounding error.
posted by benito.strauss at 3:44 PM on May 4, 2015


@indubitable, the MiTM attack is a matter of "if," not "when," regarding self-signed ones. They can also happen with rogue certificates, so even signed ones (which can be spoofed), aren't perfect. Self-signed ones occur all the time, they're not a big deal - it's about what it MIGHT be, not what it definitely is. It's like being afraid of all EXE files, because often, they're the ones with malware.
posted by Grease at 9:57 AM on May 7, 2015


Maybe but the cert chains we have are a joke. Does anyone here have any confidence that their cert chain in their browser is materially more secure than self-signed certs? How is a naive user to have any confidence in their little padlock icon?
posted by mikelieman at 10:36 AM on May 7, 2015


Does anyone here have any confidence that their cert chain in their browser is materially more secure than self-signed certs?

It's trivial to make a self-signed cert that claims to represent any arbitrary site. It's not even trivial to produce a CA-signed cert for a domain you do own and control. I don't believe the CA system is bulletproof but there's a lot of room between "easy" and "probably possible". If I'm wrong and it's not so hard, I'd love a demonstration. I'd be happy to temporarily edit my hostfile to visit a spoofed https://example.com/

So yeah, I really don't love the current system, but I currently do think it's better than absolutely nothing.
posted by aubilenon at 11:51 AM on May 7, 2015


(mhoye, speaking as a guy who excitedly downloaded the first Gecko release onto a floppy (because I could!) and has been using what eventually became Firefox ever since - thanks man. You and your fellow coders do a lot of work that isn't always appreciated as much as it could be.)
posted by caution live frogs at 12:55 PM on May 13, 2015 [1 favorite]


« Older Canines are cool, too, MetaFilter!   |   ‘What’s your favorite post-Peter Gabriel song by... Newer »


This thread has been archived and is closed to new comments