Mozilla intends to deprecate HTTP-without-TLS
-
I'll just put it at the end of my list then.
Standards that need replacing
4538. DNS
-
My internet speed is currently capped, and I got 77.450s on HTTP and 110.736s on HTTPS, on the latest Chrome.So, what about that overhead?
Chrome apparantly removed SPDY support and now only supports the HTTP 2.0 recommendation. So you're effectively getting HTTP 1.1 with TLS, foregoing all the benefits of resources being multiplexed onto the same secure connection.
This is what you get when you don't implement a good deprecation strategy like Mozilla is planning for plaintext HTTP, but just cut things off cold-turkey style.
-
WTF Discourse? I tried to reply to two posts and my first reply got deleted. It was something about how http://httpvshttps.com/ compares HTTP 1 and HTTP 2, which has nothing whatsoever to do with TLS, except that it's a convenient way for Mozilla and Google to push it by confusing people into thinking it makes their connections faster.
The push to HTTP 2.0 is part of the push to HTTPS. All part of the same strategy moving forward.
By the time Mozilla will actually remove plaintext HTTP (which should happen after a substantially long period of having it in deprecation) HTTP 2.0 adoption should already be substantial enough that all the parties interested in good performance out of their products (be it web-services, -sites or -apps) will have moved over to it. The resource multiplexing in HTTP 2.0 will then make most of the TLS overhead insignificant.
-
So, the is Mozilla wants the Web to be more secure? Because that sounds like a good thing to me...
As ever, security depends on the details of who the security measures are aimed at protecting, and from what.
If the threat comes from third parties being able to intercept and/or modify traffic between the browser and the server, then https improves security.
If the threat comes from students downloading porn, warez and malware onto school computers, then making https mandatory at the browser makes security much, much worse: the only feasible way to implement any form of content filtering becomes MITM attacks against SSL, and this necessarily involves the use of CAs that support spoofing certs, and that's security holes bought in bulk from Costco.
Security is inherently complicated. There is no way to make that untrue. In particular, a widespread false sense that everything is secure because https! will give rise to security practices much, much worse than those we see around us today.
-
For proof of above see: blocking torrents on your firewall.
They don't give a rats ass which ports are open, as long as there is one. And SSL enabled trackers are not uncommon.
-
Until Google does the same thing.
So you're saying this is a fifth column plot by the Opera people to become relevant.
-
Also, confirming that Google have a similar plan.
Not surprising, though I wonder what this means:
...albeit limited to "powerful features."
-
So you're saying this is a fifth column plot by the Opera people to become relevant.
I think now that Opera became just another skin for WebKit / Blink / whatever we're calling it this week, I'm going to say it's doubtful.
-
A "solution" from the discussion:
- Perhaps a build-time configuration could be enabled that would enable system administrators to ignore the warning for certain subdomains or the RFC 1918 addresses as well as localhost. Note that carrier grade NAT in IPv4 might make the latter a bad choice by default.
There's always RFC 6598 that carriers are implementing now. I remember getting a 100.x.x.x IP address on my phone and thinking that was interesting.
I'm actually for this, but you have to simultaneously enable a more accessible ssl cert. Its unreasonable to deprecate http then continue charging 80usd for a cert.
There's also http://www.cacert.org/ but I'm not sure if they are fully trusted yet.
-
I think now that Opera became just another skin for WebKit / Blink / whatever we're calling it this week, I'm going to say it's doubtful.
It obviously depends on where that stuff gets implemented. I have very little (desire for) knowledge of browser implementations, but damned if I'll let that get in the way of a lame joke / troll.
-
but damned if I'll let that get in the way of a lame joke / troll
That is fully within your rights. As it is within mine to lament the days of Opera 12, call Opera ASA traitors, and wear onions on my belt.
-
Opera 12,
I still run that, BTW. It's my wife's browser on my machine and I use it for playing Pandora. The browser cache is...easy to read.
-
For example, GET RID OF USERNAME AND PASSWORD DIALOGS, let me authenticate to the browser and let the browser authenticate to the page.
For some reason, they want to make everything TLS, while utterly dragging their heels on TLS-SRP implementation, while not realizing that they are the ones holding back adoption -- the serverside TLS implementations already support it.
-
StartSSL is free too
Unless, after one year, they decide that your site is (for a) business and the only reason you want the cert is to conduct financial transactions over it. Regardless of whether you are or not.
No appeals allowed.
Upon a renewal request:
@certmaster@startcom.org said:
The request for a server certificate for [website] has been declined. For more information please contact us. Thank you!
@me said:May I ask the reason for the decline?
@certmaster@startcom.org said:Thank you for requesting a digital certificate with us. However Class 1 certificates are not meant to be used for commercial activities or financial transactions according to our policy. For this purpose please consider upgrading to Class 2 or higher verification level.
Please see https://www.startssl.com/?app=32 about how to enroll. Thank you for your understanding.
@me said:
Thanks for the reply.
May I
-
have a link to this policy for the definition of 'commercial activity' (there are no financial transactions happening on that site - it is merely serving as an online 'catalogue' and any transactions have to be held off the internet either on the brick and mortar premises or over the phone,) and
-
ask when this policy was enacted, since this didn't seem to be a problem over the past year when I applied last August...
@me said:
Don't worry - looks like I've found it, and it appears to have been retroactively added.
@certmaster@startcom.org said:
Sure. Here is the link https://www.startssl.com/policy.pdf
@me said:
Sadly that still doesn't define commercial nature. However, for example, from the webpage that describes Class 2:
StartSSL™ Verified are intended for: web sites, which perform financial transactions like credit card details or other payment methods, so that a visitor can be assured, that the person and company operating it can be traced to a real entity. companies or individuals which have to deal worldwide with prospective clients and partners and need to be assured of correct information about them. easier management of keys and certificates, complex configurations and multiple web sites on the same server and IP address and IIS/ISA setups.None of these applies to the website concerned.
And that was the last message.
-
