[ALUG] Mozilla will obsolete HTTP
Tim Schofield
tim.schofield1960 at gmail.com
Sun May 3 17:19:05 EAT 2015
Hi Andreas, you are way smarter than me on the technical details but
most people would not be aware of the free certificates you mention.
For the average person wanting to setup a simple web site all they
would see are organisations like godaddy who want GBP48.99 per year
(1&1 want GBP55 per year) for a certificate, effectively doubling the
hosting cost. I imagine godaddy and 1&1 are not a lot different than
other mainstream hosting companies and are certainly amongst the most
popular. Yes I know that there are better hosting companies but the
average person will just go with what they have heard of.
Mozilla appear to say they will deliberately worsen the way a site
looks in Firefox if the site does not use https only. Doesn't this go
against the principles of net neutrality?
Tim
On 3 May 2015 at 12:36, Andreas Tauscher via Linux
<linux at lists.habari.co.tz> wrote:
> Am 05/03/2015 um 11:54 AM schrieb Tim Schofield via Linux:
>
>> This "feels" wrong to me. It seems like another way to move the web
>> into being owned by governments and corporations and away from it's
>> free, open and transparent founding principles.
>
> I understand your concerns. At the moment the CA infrastructure is
> somehow broken. If I count 300+ CAs in the OS/browser trust store
> something is wrong.
> And where do I get a certificate?
> Many hosting providers offering certificates for free for the domains
> registered with them. Some CAs are offering certificates for free like
> StartSSL and WoSing. Mid of the year letsencrypt.org will go operational
> also offering free certificates.
> The next component is DANE [1] what has to arrive in the client software.
> With DANE the client can verify certificates by DNS lookups. I have only
> to publish fingerprints or certificates as TLSA records in my DNSSEC
> secured zone.
> Not only the clients can verify even my self signed certificate: I can
> also run my own CA without having my root certificate in the client's
> trust store.
> But for the moment DANE is only supported by postfix 2.11+ and with
> plugins by Chrome and Firefox. For Thunderbird (Linux only) is a crutchy
> workaround available.
> With DANE nothing is given to governments or corporations.
>
>> Yes there are sites that should obviously be https only, but there
>> are also sites where it would be unnecessary.
>
> It is necessary for all pages!
> It is not only that nobody can read what I enter. It is also for the
> site owner to ensure that the content arrives unmodified.
> Comcast is injecting advertisement in web traffic. [2]
> AT&T/Verizon is injecting tracking cookies in web traffic. [3]
>
> Who wants a third party modifying my content without my permission?
> If I care about my content arrives unmodified I have to encrypt.
>
>> It is not up to the likes of Google/NSA/Mozilla to force this onto
>> us.
>
> If Google is trustworthy: Different problem. But somebody has to start.
> And now Google and Mozilla starting from this end.
> Last year thousands of mailing lists exploded because Yahoo started to
> verify DKIM signatures. Outdated or wrong configured mailing list
> software is breaking this signature: Reject or Spamfolder depending
> which DMARC policy was published.
> Big crying. But sorry: If you operate a mailing list and you have no
> idea what your software is doing with mails: You are in the wrong business.
>
> Giving recommendations is obvious not working. As long there are so many
> host/post/web/whatever masters having no clue what they are doing, being
> ignorant or simply stupid the only way I see is to bring more pressure
> on them: You get your crap fixed and meeting actual standards or you are
> out. There was more than enough time.
>
>> They would be better looking at the insecurities in their
>> JS/ActiveX engines that allow malware to get installed if a user goes
>> to an insecure site.
>
> That is a different problem.
> IMHO the most blame has be brought to the webmasters/webdesigners.
> As long I find thousands of websites using a million years old version
> of wordpress, phpBB, drupal or whatever, most web"designer" even having
> no idea what XSS or SQL injection is, as long bastards like ebay
> ignoring XSS issues for over one year [4] (when I search the full
> disclosure mailing list for ebay: Amazing. They are real experts in
> creating XSS holes. Nobody having this much CVE numbers related to XSS),
> wordpress needing over one year to fix XSS vulnerabilities and then a
> few days later exploding again with an even more worse stored XSS,
> advertisement networks like AOL's advertise.com are frequently abused to
> distribute maleware and Adobe never getting fixed their crap flash
> player and Mircosoft is not getting an update mechanism for software
> working:
> The best and most secure js engine can not protect me. It can only limit
> the damage already done by others.
> It is like blaming the car manufacturer for failing breaks when driving
> 200 on a slippery road.
>
> Andreas
>
> [1] http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
> [2]
> http://arstechnica.com/tech-policy/2014/09/08/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/
> [3] https://www.eff.org/de/deeplinks/2014/11/verizon-x-uidh
> [4]
> https://grahamcluley.com/2014/09/ebay-password-stealing-security-hole-existed-months/
>
>
> _______________________________________________
> The Arusha Linux User Group: http://unix.or.tz
> Linux mailing list
> Linux at lists.habari.co.tz
> http://lists.habari.co.tz/cgi-bin/mailman/listinfo/linux
>
> The Arusha LUG mailing list is generously hosted by Habari Node Ltd: http://www.habari.co.tz/
>
> The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
--
Course View Towers,
Plot 21 Yusuf Lule Road,
Kampala
T +256 (0) 312 314 418
M +256 (0) 752 963 325
www.weberpafrica.com
Twitter: @TimSchofield2
Blog: http://weberpafrica.blogspot.co.uk/
More information about the Linux
mailing list