[ALUG] Mozilla will obsolete HTTP

[Andreas Tauscher]

Am 05/03/2015 um 05:19 PM schrieb Tim Schofield via Linux:

> Hi Andreas, you are way smarter than me on the technical details but
> most people would not be aware of the free certificates you mention.
> 
> For the average person wanting to setup a simple web site all they
> would see are organisations like godaddy who want GBP48.99 per year
> (1&1 want GBP55 per year) for a certificate, effectively doubling the
> hosting cost. I imagine godaddy and 1&1 are not a lot different than
> other mainstream hosting companies and are certainly amongst the most
> popular. Yes I know that there are better hosting companies but the
> average person will just go with what they have heard of.

It will need a change in thinking of the providers.
What challenge was it not so long time ago getting a website online? And
now: A few mouse clicks and done.
Or if I go a few years more back registering a domain. The first domain
I registered this was a real challenge. The application form had I think
8 pages. You had to bring proofs you have at least 2 DNS, they are in
different networks, on what hardware they are running, which software,
the operator is capable doing it, why this name, for what reason you
want a domain and a pile of other documents was requested. All on real
paper, signed and stamped, put in an envelope and sent by post. And it
was bloody expensive. Not sure, but I think for a .org domain we paid
92/93 over 1000$/year.
And now: Registration takes not 5 minutes, changes I do nearly in
realtime and costs even not 10$/year.

Encryption is some pain in the ass. But they got it simplified for
domain registration and for hosting so why not for certificates?

For the average user only wanting his page online: Nothing will change.
The advanced user will have more options.
Who wants fast a site for testing online: The letsencrypt scripts are
doing everything: Generating the certificates, getting them signed and
crating the basic web server configuration.
The distributions will follow also and bringing better and default
support for SSL configurations.

> Mozilla appear to say they will deliberately worsen the way a site
> looks in Firefox if the site does not use https only. Doesn't this go
> against the principles of net neutrality?

Has somebody realised that the <blink> tag died?
Several websites from the 90s can now be viewed without the risk getting
eye cancer :)
They will not worsen a site. What they want to do first is making new
features only available for https.

One measurement will be http2. Google gave up their SPDY protocol (which
is only working over TLS connections) and wide parts of it are now
adopted in IETF standard http/2.0.
Complex sites will have benefits using http2. The pages are loading
faster, the server can push to the client, bandwith is used more efficient.
It gives also completely new opportunities for web applications.
In the standard from February 2015 TLS is not longer a must: "must
support TLS" was replaced with "should support TLS".
But: Firefox has http2 since version 36 (only over TLS: h2) and Chrome
supporting next year also only over TLS.
Also most of the existing server/proxy implementations support only the
h2 protocol (http2 over TLS) like: Akamai Ghost, Apache Traffic Server,
cl, F2, H2O, Lucid, nodejs, twitter. How it looks like apache2 and nginx
also will support only h2

All this will not happen now. There will be plenty time.

How can the user be made more aware about the difference between http
and https? The warnings when certificate verification fails are telling
in a confusing way nothing or they are full with nerd blabla. For the
average user absolutely not understandable what this now means.
There is still a lot of things to do.

The average users can not be mobilised to tell the website operators: I
want this only if a secure connection is used.
So the web masters and web designers have to be pushed gently but
definite in to this direction.
If this things becoming normal then a normal user will become more aware
about not normal things. Now if there is a green bar or a lock left from
the URL or not: Who cares? This must change.

For the owners of websites: Encryption with DANE, DKIM, DMARC and all
the other stuff is a very efficient tool to stop pishing and other fraud
or at least making it much more difficult.
Pishing is a big business. The RSA online fraud report 1/2014 is talking
about 5.9 billion US$ losses in 2013.

The internet how it is we can not change. It was a research project, a
proof of concept. Security was not a real topic in the development.
Nobody could imagine in this days how it is used now.
Have look in IPv6: It is now 20 years old and still not really launched
but it will push IPv4 to be used only in local networks. From the
internet IPv4 will disappear.
It is a part of the development.
Yes, some things have to die. http is one of them. Not now and not next
year but it must die.

Andreas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.habari.co.tz/pipermail/linux/attachments/20150504/0c27e4fe/attachment-0001.pgp>