I have to say, I actually disagree with this move. While I think the intentions sound noble, and I'm all for a more secure web, I also believe that a web browser has no business dictating that the entire web should be forced in HTTPs.
I don't see any benefit in this type of blanket, all or nothing, type of approach. In fact, I see it doing more damage than good. Encrypting blogs, news websites, etc still makes no sense to me. I'm actually disappointed in Mozilla for looking at doing this. As a developer I respect many of their products and see them as champions of the web in a lot of ways.
HTTPs does not:
- protect a user from malware on their own system with keylogging taking place
- increase security in outdated and insecure websites (eg: old known exploitable code)
- prevent any browser drive-by downloaders or exploits
- increase the security of the web server itself (web stack thats serving requests) - yeah that's you using a private VPS without doing Kernel updates.
These are likely the major factors of why people have security issues.
What is forcing HTTPS on the entire web actually doing? Who is it benefiting?
The government can still snoop your data in-flight. If someone is connected to a fake wifi endpoint there is on the fly SSL decryption out there.....
Do we still need TLS for actual secure transactions that deal with personal data? Yes, of course. That's what it is intended for.
Do we need TLS to read the latest TMZ post about Miley Cyrus?
You decide... (oh and it's http if you were wondering)
HTTPS provides authentication, not just confidentiality.
When you visit "blogs, news websites, etc" do you think there's no value in being able to know for sure that the content is exactly what the owner of the site intended? Even though ISPs have proven themselves willing to intercept and modify that content in transit?
You're oversimplifying and being dismissive without cause.
>a web browser has no business dictating that the entire web should be forced in HTTPs.
1. that isn't what is happening as per the article. They are going to begin picking features that shouldn't be allowed over HTTP (like, say, geo location, web camera access, etc).
2. a browser is precisely the actor that should push for these things. If not browser vendors, who?
>What is forcing HTTPS on the entire web actually doing?
Encrypting streams of data that were previously unencrypted.
>Who is it benefiting?
Users.
>The government can still snoop your data in-flight.
So your argument is 'this isn't perfect for all attack vectors, so it isn't useful at all'?
>Do we need TLS to read the latest TMZ post about Miley Cyrus?
> I don't see any benefit in this type of blanket, all or nothing, type of approach.
Imagine you're making some meatballs. You've got pigs, spices, and a stove.
If you're in Germany, there's no problem -- kill some pigs, grind some pork, mix in the spices, and cook your meatballs. You could make sausages the same way (as long as you've got tubing). And you're free to sample your food as you cook it to make sure it suits your tastes.
If you're in the US, you've got two options:
1. Give up on sausage entirely. Make sure your ground pork is well cooked before you even think of eating any of it.
2. Carefully vet the pigs for trichinosis before introducing their pork into your kitchen.
Unsurprisingly, we use option 1.
Germany, like the rest of Europe, has opted for a blanket solution where they're not allowed to have pigs with trichinosis. The US has opted for a different blanket solution where you can't eat raw pork. Nobody is suggesting that we carefully inspect individual pigs and treat the meat according to whether they had trichinosis.
The recent attack on Github, where malicious JavaScript was injected into a plain unencrypted http connection, is enough to convince me that requiring https everywhere is the right move.
I don't see any benefit in this type of blanket, all or nothing, type of approach. In fact, I see it doing more damage than good. Encrypting blogs, news websites, etc still makes no sense to me. I'm actually disappointed in Mozilla for looking at doing this. As a developer I respect many of their products and see them as champions of the web in a lot of ways.
HTTPs does not:
- protect a user from malware on their own system with keylogging taking place
- increase security in outdated and insecure websites (eg: old known exploitable code)
- prevent any browser drive-by downloaders or exploits
- increase the security of the web server itself (web stack thats serving requests) - yeah that's you using a private VPS without doing Kernel updates.
These are likely the major factors of why people have security issues. What is forcing HTTPS on the entire web actually doing? Who is it benefiting? The government can still snoop your data in-flight. If someone is connected to a fake wifi endpoint there is on the fly SSL decryption out there.....
Do we still need TLS for actual secure transactions that deal with personal data? Yes, of course. That's what it is intended for.
Do we need TLS to read the latest TMZ post about Miley Cyrus? You decide... (oh and it's http if you were wondering)