Mozilla wants to drop HTTP support in Firefox

vbimport

#1

We’ve just posted the following news: Mozilla wants to drop HTTP support in Firefox[newsimage]http://static.myce.com//images_posts/2011/11/FirefoxLogo1.jpg[/newsimage]

A Mozilla security engineer, Richard Barnes, has proposed to slowly phase out support for unencrypted HTTP traffic.

            Read the full article here: [http://www.myce.com/news/mozilla-wants-to-drop-http-support-in-firefox-75760/](http://www.myce.com/news/mozilla-wants-to-drop-http-support-in-firefox-75760/)

            Please note that the reactions from the complete site will be synched below.

#2

Is that guy ffing nuts? Not everyone that has a site needs an SSL certificate or can afford it.


#3

Crazy! there is plenty that doesn’t need to be on HTTPS, or that don’t support it.

Building in “https everywhere” without needing a plugin would be a better idea - where HTTPS is supported, it’s better to use it full time rather than just for login credentials - the secure login, non secure browse is open to attack on an open network.


#4

Recently, I read about how the Chines government used unsecured traffic to attack Github: apparently they were able to inject malicous JavaScript code onto Baidu.com. Using this man-on-the-side attack, China was able to use Baidu’s visitors to launch ddos attacks against Github, without said visitors even knowing about it.

Cyber criminals, such as the Chinese government, can theoretically add similar code to any unsecured connection, and there’s little anyone can do about it, except encrypting their connections as much as possible ( I’m guessing that, like their users, the admins running Baidu didn’t know about the malicious code either). That’s why Mozilla’s move makes sense to me. HTTP is basically just one big security hole, which anyone can inject malware into.

As for advertisers claiming they can’t make as much money with HTTPS, that’s to be expected. There’s nothing advertisers seem to love more than knowing everything they can about everyone they can. I’ll bet privacy-protecting tools like Privacy Badger and Disconnect scare them more than anything.


#5

I effectively had this experience this evening when my ISP somehow blocked HTTP traffic for a few hours, probably due to a Firewall misconfiguration.

One thing I can say for certain is that if Mozilla made this move right now, not many websites will load. For example, while I had no issue with Google’s own services (Search, Gmail & YouTube) and other sites that mainly use HTTPS, most other websites were completely inaccessible during the HTTP outage, including Myce and many other news sites. A few did load after accepting an expired or invalid certificate when I tried the https:// version.


#6

Personally I think it would make more sense to slowly phase out support for Firefox rather than phase out support for HTTP. :doh:
Firefox is currently my main browser, but they need to not become more stupid than they already are.

Supporting HTTP is far simpler than supporting HTTPS, and not everything needs to be encrypted or digitally signed.


#7

It’s true that many websites require HTTP, but that’s the main reason why Mozilla wants to take thier time, phasing out HTTP one state at a time. If Mozilla were stupid enough to do so in a hurry, no one would use Firefox (although someone would probably write a fork). Odds are, this is probably going to be a decade-spanning goal.

Also, I must empazise that HTTPS for all sites is essential for both privacy and secuirty. Between cybercriminals injecting malicous code on-the-fly to other websites, and the ease of which advertisers and dubious law enforcement agencies (such as the NSA) can record your activities, HTTP is just too insecure for me.

IMHO, saying that HTTPS should only be used for “certain” activities is like saying a firewall should only be used when updating the OS. Both are needed for as long as a user remains on the internet.


#8

https:// is too many characters… I think " URL://  " is good enough let the site negotiate what’s required, such as a secure connection or you can click an icon to secure the connection & the site automatically adjusts to an encryption key wihtout retyping the url


#9

This is more or less the disease “Foot in Mouth” disease and they need to find a vaccine to cure it permanently…called… Get Fired…