[ALUG] Mozilla will obsolete HTTP

Mon May 4 22:56:10 EAT 2015

> I know there are great open source tools for securing your web site -
> as I said your technical knowledge of such things is light years ahead
> of mine. My point is whether it is the job of the browser companies to
> force that upon us. I dislike the idea that Google/Mozilla etc will
> deliberately break web sites that aren't setup as they want them
> setup.

As I said this will for the first only affect sites using http2.
Is also correct according to the draft RFC. You must not support all
protocol variants, and you should support TLS.
The result is most implementations support only the h2 variant which
implies TLS. The h2c variant without TLS and fallback to http1.1 is not
supported.
After an while encryption will have become so naturally. Nobody will
think about it. It is simply working. Solutions will follow to make it
for John Public easy to use.

> If webmasters don't secure their sites properly surely that
> should be up to them? If I want to leave my front door unlocked then I
> can, there is no law to stop to me, and there shouldn't be. If I get
> robbed then it is my fault. Advising me to lock the door should be
> enough, just as advising me to encrypt should be enough. It's not the
> need for encryption that bothers me, it is the forcing it upon people.

They still have then the option to use http1.1 on the cost of no
multiplexed connection, no push and a complete TCP handshake for every
element in the page.

> Should a company intranet server really have to pay to authenticate
> itself? Seems crazy to me, I know many intranets where the clients
> aren't even connected to the internet itself.

Use your own self signed certificates. If you need more certificates or
often changing test environments, then crate your own CA. Create a root
certificate, distribute this to all the clients in your network and use
it to sign your own certificates. A handy script comes with openvpn:
easy-rsa: build-ca to create the root certificate and then
build-key-server to create certificates and signing with your own root
certificate.
When you installed your own root certificate all certificate you signed
with this are working like any "normal" signed certificate.
You authenticate you to yourself :)
Nobody was ever or will ever be forced to buy a certificate for internal
use.

> Most sites will benefit from encryption, but actually very few really
> need to authenticate themselves. Shouldn't a simple form of self
> certification be sufficient?

Is fine. When DANE arrived in browsers, mail clients and whatever no
error message will be shown. Maybe then there will be a info that this
certificate is not signed by a third party. But the problem how can I
verify if the certificate is valid, genuine and belongs to this host is
solved.
The problem with self signed certificates is: Anybody on the way can
exchange the certificate. The client has no way to verify the
certificate. Except I send the fingerprint of my self signed certificate
by (encrypted) mail or somehow to the client and then the fingerprint is
compared manual:
58:87:52:44:D8:60:12:B0:FB:D5:F6:C0:6E:F1:6E:FC:A2:0E:15:8D:58:E9:6E:6F:76:CE:DA:66:60:B5:9B:C2
Is the fingerprint for github.
Nobody will do this. With DANE the DNS is providing this information.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.habari.co.tz/pipermail/linux/attachments/20150504/1b1099fa/attachment.pgp>