Forcing HTTPS Is Being Discussed

Subject: General Tech | April 14, 2015 - 08:08 PM |
Tagged: mozilla, http, https, firefox

On the Mozilla Dev-Platform Newsgroup, hosted at Google Groups, a proposal to deprecate insecure HTTP is being discussed. The idea is that HTTPS needs to be adopted and organizations will not do it without being pushed. The plan is to get browser vendors to refuse activating new features, and eventually disable old features, unless the site is loaded as a “privileged context”.


This has sparked a debate, which was the whole point of course, about how secure do we want the Web to be. What features should we retroactively disable unless it is done through HTTPS? Things that access your webcam and microphone? Things that write to your hard drive? Then there is the question of how to handle self-signed certificates to get encryption without verification, and so forth.

Note: Websites cannot access or create files on your hard drive, but standards like localStorage and IndexedDB allow websites to have their own spaces for persistence. This is to allow, for instance, a 3D game to cache textures (and so forth) so you don't need to download them every time.

Personally, this concerns me greatly. I started helping Mozilla a couple of years ago, a few weeks after I saw Microsoft's Windows 8 developer certification program. I do not like the thought of someone being able to stifle creation and expression, and the web was looking like it might be the last bastion of unrestricted development for the general public.

In the original Windows Store requirements, no browser could exist unless it was a skin of Trident. This meant that, if a site didn't work in Internet Explorer, it didn't exist. If you didn't want to play by their rules? Your app didn't get signed and your developer certificate could even be revoked by Microsoft, or someone with authority over them. You could imagine the problems a LGBT-focused developer might have in certain countries, even if Microsoft likes their creations.

This is obviously not as bad as that. In the Windows Store case, there was one authority whereas HTTPS can be authenticated by numerous providers. Also, if self-signed certificates are deemed “secure enough”, it would likely avoid the problem. You would not need to ask one of a list of authorities permission to exist; you could secure the connection yourself. Of course, that is a barrier of skill for many, and that is its own concern.

So we'll see, but I hope that Mozilla will take these concerns as a top priority in their decisions.

Source: Mozilla

Nothing new to see here but Firesheep may be news to some

Subject: General Tech | September 12, 2011 - 11:56 AM |
Tagged: firesheep, security, fud, https

About a year ago you may have read about FireSheep, a FireFox add-on which takes advantage of the unencrypted nature of many packets being sent to social networks to allow others to access your accounts.  It is specifically used on wireless connections, in what is called a man in the middle attack, as you surf using an unencrypted connection the laptop running Firesheep captures your data before it even hits your account.  That extension is still around and causing havoc, making the news recently with the revelation that packets sent via Google have a unique session ID sent in plain text which can be used to identify a Google acount and then access the search history of the acccount.   Check out The Register for more on this topic and consider HTTPS Everywhere for your laptop.


"Researchers have released a Firefox extension that demonstrates the risks of using Google search services on Wi-Fi hotspots and other unsecured networks: With just a few clicks, attackers can view large chunks of your intimate browsing history, including websites you've already visited."

Here is some more Tech News from around the web:

Tech Talk


Source: The Register