[ALUG] Mozilla will obsolete HTTP

Mon May 4 10:04:47 EAT 2015

Thank you guys for a spirited discussion!

I'd like to chime in from the angle Alan just mentioned. If you have 45
minutes this is very much worth watching:
https://www.youtube.com/watch?v=fwcl17Q0bpk

In the video PHK, who is a BSD developer and they guy behind Varnish,
points to possible vulnerabilities in OpenSSL. Note this was before the
heartbleed bug was found out! I think he makes a very important point that
this library that underlies https across the internet is extremely dense
and very very few people understand it! We know that the NSA knew of the
heartbleed bug for at least 2 years [1] and exploited it. It is not too
much of a stretch to presume heartbleed isn't the last one. While https
will keep phishers and most hackers at bay, we may be lulling ourselves
into a false sense of security while the 3-letter agencies (NSA et al) are
managing to keep the internet in clear text.

[1]
http://www.extremetech.com/extreme/180435-the-nsa-knew-about-and-exploited-the-heartbleed-bug-for-at-least-two-years

On Mon, May 4, 2015 at 9:20 AM, Alan Orth via Linux <
linux at lists.habari.co.tz> wrote:

> Yes the Certificate Authorities and governments are deplorable, and HTTPS
> is tricky to set up but it's getting easier with a few guides
> circulating[0][1]. One result of this is better defaults landing in
> upstream projects like Apache and OpenSSH...
>
> My major concern is dragnet surveillance. All Snowden reports point to the
> fact that communications and signals intelligence is not breaking crypto;
> they're relying HEAVILY on passive collection of plaintext traffic, and
> only sometimes using epic 0days, subverting standards, etc. The only way to
> prevent every provider your traffic passes sniffing your traffic is to
> encrypt it, preferably with forward secrecy.
>
> Alan
>
> [0] https://bettercrypto.org/
> [1] https://wiki.mozilla.org/Security/Server_Side_TLS
>
> On Mon, May 4, 2015 at 2:49 AM, Andreas Tauscher via Linux <
> linux at lists.habari.co.tz> wrote:
>
>> Am 05/03/2015 um 05:19 PM schrieb Tim Schofield via Linux:
>>
>> > Hi Andreas, you are way smarter than me on the technical details but
>> > most people would not be aware of the free certificates you mention.
>> >
>> > For the average person wanting to setup a simple web site all they
>> > would see are organisations like godaddy who want GBP48.99 per year
>> > (1&1 want GBP55 per year) for a certificate, effectively doubling the
>> > hosting cost. I imagine godaddy and 1&1 are not a lot different than
>> > other mainstream hosting companies and are certainly amongst the most
>> > popular. Yes I know that there are better hosting companies but the
>> > average person will just go with what they have heard of.
>>
>> It will need a change in thinking of the providers.
>> What challenge was it not so long time ago getting a website online? And
>> now: A few mouse clicks and done.
>> Or if I go a few years more back registering a domain. The first domain
>> I registered this was a real challenge. The application form had I think
>> 8 pages. You had to bring proofs you have at least 2 DNS, they are in
>> different networks, on what hardware they are running, which software,
>> the operator is capable doing it, why this name, for what reason you
>> want a domain and a pile of other documents was requested. All on real
>> paper, signed and stamped, put in an envelope and sent by post. And it
>> was bloody expensive. Not sure, but I think for a .org domain we paid
>> 92/93 over 1000$/year.
>> And now: Registration takes not 5 minutes, changes I do nearly in
>> realtime and costs even not 10$/year.
>>
>> Encryption is some pain in the ass. But they got it simplified for
>> domain registration and for hosting so why not for certificates?
>>
>> For the average user only wanting his page online: Nothing will change.
>> The advanced user will have more options.
>> Who wants fast a site for testing online: The letsencrypt scripts are
>> doing everything: Generating the certificates, getting them signed and
>> crating the basic web server configuration.
>> The distributions will follow also and bringing better and default
>> support for SSL configurations.
>>
>> > Mozilla appear to say they will deliberately worsen the way a site
>> > looks in Firefox if the site does not use https only. Doesn't this go
>> > against the principles of net neutrality?
>>
>> Has somebody realised that the <blink> tag died?
>> Several websites from the 90s can now be viewed without the risk getting
>> eye cancer :)
>> They will not worsen a site. What they want to do first is making new
>> features only available for https.
>>
>> One measurement will be http2. Google gave up their SPDY protocol (which
>> is only working over TLS connections) and wide parts of it are now
>> adopted in IETF standard http/2.0.
>> Complex sites will have benefits using http2. The pages are loading
>> faster, the server can push to the client, bandwith is used more
>> efficient.
>> It gives also completely new opportunities for web applications.
>> In the standard from February 2015 TLS is not longer a must: "must
>> support TLS" was replaced with "should support TLS".
>> But: Firefox has http2 since version 36 (only over TLS: h2) and Chrome
>> supporting next year also only over TLS.
>> Also most of the existing server/proxy implementations support only the
>> h2 protocol (http2 over TLS) like: Akamai Ghost, Apache Traffic Server,
>> cl, F2, H2O, Lucid, nodejs, twitter. How it looks like apache2 and nginx
>> also will support only h2
>>
>> All this will not happen now. There will be plenty time.
>>
>> How can the user be made more aware about the difference between http
>> and https? The warnings when certificate verification fails are telling
>> in a confusing way nothing or they are full with nerd blabla. For the
>> average user absolutely not understandable what this now means.
>> There is still a lot of things to do.
>>
>> The average users can not be mobilised to tell the website operators: I
>> want this only if a secure connection is used.
>> So the web masters and web designers have to be pushed gently but
>> definite in to this direction.
>> If this things becoming normal then a normal user will become more aware
>> about not normal things. Now if there is a green bar or a lock left from
>> the URL or not: Who cares? This must change.
>>
>> For the owners of websites: Encryption with DANE, DKIM, DMARC and all
>> the other stuff is a very efficient tool to stop pishing and other fraud
>> or at least making it much more difficult.
>> Pishing is a big business. The RSA online fraud report 1/2014 is talking
>> about 5.9 billion US$ losses in 2013.
>>
>> The internet how it is we can not change. It was a research project, a
>> proof of concept. Security was not a real topic in the development.
>> Nobody could imagine in this days how it is used now.
>> Have look in IPv6: It is now 20 years old and still not really launched
>> but it will push IPv4 to be used only in local networks. From the
>> internet IPv4 will disappear.
>> It is a part of the development.
>> Yes, some things have to die. http is one of them. Not now and not next
>> year but it must die.
>>
>> Andreas
>>
>>
>> _______________________________________________
>> The Arusha Linux User Group: http://unix.or.tz
>> Linux mailing list
>> Linux at lists.habari.co.tz
>> http://lists.habari.co.tz/cgi-bin/mailman/listinfo/linux
>>
>> The Arusha LUG mailing list is generously hosted by Habari Node Ltd:
>> http://www.habari.co.tz/
>>
>> The above comments and data are owned by whoever posted them (including
>> attachments if any). The mailing list host is not responsible for them in
>> any way.
>>
>
>
>
> --
> Alan Orth
> alan.orth at gmail.com
> https://alaninkenya.org
> https://mjanja.ch
> "In heaven all the interesting people are missing." -Friedrich Nietzsche
> GPG public key ID: 0x8cb0d0acb5cd81ec209c6cdfbd1a0e09c2f836c0
>
> _______________________________________________
> The Arusha Linux User Group: http://unix.or.tz
> Linux mailing list
> Linux at lists.habari.co.tz
> http://lists.habari.co.tz/cgi-bin/mailman/listinfo/linux
>
> The Arusha LUG mailing list is generously hosted by Habari Node Ltd:
> http://www.habari.co.tz/
>
> The above comments and data are owned by whoever posted them (including
> attachments if any). The mailing list host is not responsible for them in
> any way.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.habari.co.tz/pipermail/linux/attachments/20150504/c18ee76c/attachment-0001.html>