[ALUG] Mozilla will obsolete HTTP

[Tim Schofield]

Hi Andreas, you are way smarter than me on the technical details but
most people would not be aware of the free certificates you mention.

For the average person wanting to setup a simple web site all they
would see are organisations like godaddy who want GBP48.99 per year
(1&1 want GBP55 per year) for a certificate, effectively doubling the
hosting cost. I imagine godaddy and 1&1 are not a lot different than
other mainstream hosting companies and are certainly amongst the most
popular. Yes I know that there are better hosting companies but the
average person will just go with what they have heard of.

Mozilla appear to say they will deliberately worsen the way a site
looks in Firefox if the site does not use https only. Doesn't this go
against the principles of net neutrality?

Tim

On 3 May 2015 at 12:36, Andreas Tauscher via Linux
<linux at lists.habari.co.tz> wrote:
> Am 05/03/2015 um 11:54 AM schrieb Tim Schofield via Linux:
>
>> This "feels" wrong to me. It seems like another way to move the web
>> into being owned by governments and corporations and away from it's
>> free, open and transparent founding principles.
>
> I understand your concerns. At the moment the CA infrastructure is
> somehow broken. If I count 300+ CAs in the OS/browser trust store
> something is wrong.
> And where do I get a certificate?
> Many hosting providers offering certificates for free for the domains
> registered with them. Some CAs are offering certificates for free like
> StartSSL and WoSing. Mid of the year letsencrypt.org will go operational
> also offering free certificates.
> The next component is DANE [1] what has to arrive in the client software.
> With DANE the client can verify certificates by DNS lookups. I have only
> to publish fingerprints or certificates as TLSA records in my DNSSEC
> secured zone.
> Not only the clients can verify even my self signed certificate: I can
> also run my own CA without having my root certificate in the client's
> trust store.
> But for the moment DANE is only supported by postfix 2.11+ and with
> plugins by Chrome and Firefox. For Thunderbird (Linux only) is a crutchy
> workaround available.
> With DANE nothing is given to governments or corporations.
>
>> Yes there are sites that should obviously be https only, but there
>> are also sites where it would be unnecessary.
>
> It is necessary for all pages!
> It is not only that nobody can read what I enter. It is also for the
> site owner to ensure that the content arrives unmodified.
> Comcast is injecting advertisement in web traffic. [2]
> AT&T/Verizon is injecting tracking cookies in web traffic. [3]
>
> Who wants a third party modifying my content without my permission?
> If I care about my content arrives unmodified I have to encrypt.
>
>> It is not up to the likes of Google/NSA/Mozilla to force this onto
>> us.
>
> If Google is trustworthy: Different problem. But somebody has to start.
> And now Google and Mozilla starting from this end.
> Last year thousands of mailing lists exploded because Yahoo started to
> verify DKIM signatures. Outdated or wrong configured mailing list
> software is breaking this signature: Reject or Spamfolder depending
> which DMARC policy was published.
> Big crying. But sorry: If you operate a mailing list and you have no
> idea what your software is doing with mails: You are in the wrong business.
>
> Giving recommendations is obvious not working. As long there are so many
> host/post/web/whatever masters having no clue what they are doing, being
> ignorant or simply stupid the only way I see is to bring more pressure
> on them: You get your crap fixed and meeting actual standards or you are
> out. There was more than enough time.
>
>> They would be better looking at the insecurities in their
>> JS/ActiveX engines that allow malware to get installed if a user goes
>> to an insecure site.
>
> That is a different problem.
> IMHO the most blame has be brought to the webmasters/webdesigners.
> As long I find thousands of websites using a million years old version
> of wordpress, phpBB, drupal or whatever, most web"designer" even having
> no idea what XSS or SQL injection is, as long bastards like ebay
> ignoring XSS issues for over one year [4] (when I search the full
> disclosure mailing list for ebay: Amazing. They are real experts in
> creating XSS holes. Nobody having this much CVE numbers related to XSS),
> wordpress needing over one year to fix XSS vulnerabilities and then a
> few days later exploding again with an even more worse stored XSS,
> advertisement networks like AOL's advertise.com are frequently abused to
> distribute maleware and Adobe never getting fixed their crap flash
> player and Mircosoft is not getting an update mechanism for software
> working:
> The best and most secure js engine can not protect me. It can only limit
> the damage already done by others.
> It is like blaming the car manufacturer for failing breaks when driving
> 200 on a slippery road.
>
> Andreas
>
> [1] http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
> [2]
> http://arstechnica.com/tech-policy/2014/09/08/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/
> [3] https://www.eff.org/de/deeplinks/2014/11/verizon-x-uidh
> [4]
> https://grahamcluley.com/2014/09/ebay-password-stealing-security-hole-existed-months/
>
>
> _______________________________________________
> The Arusha Linux User Group: http://unix.or.tz
> Linux mailing list
> Linux at lists.habari.co.tz
> http://lists.habari.co.tz/cgi-bin/mailman/listinfo/linux
>
> The Arusha LUG mailing list is generously hosted by Habari Node Ltd: http://www.habari.co.tz/
>
> The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.



-- 
Course View Towers,
Plot 21 Yusuf Lule Road,
Kampala
T   +256 (0) 312 314 418
M +256 (0) 752 963 325
www.weberpafrica.com
Twitter: @TimSchofield2
Blog: http://weberpafrica.blogspot.co.uk/