>HTTPS-Only mode ... will also ask for your permission before connecting to a website if it doesn't support secure connections.
This is being done with the best of intentions but browsers scaremongering over HTTP sites as if they are dangerous is a bad thing. There is more to the web than commercial transactions!
Human people cannot feasibly be cert authorities. Only corporations can. When browsers will only display sites that are authorized by corporations we're eventually going to be in big trouble. Yes, LetsEncrypt is a benevolent corporation, yes there are even options beyond LE, but as we know from the dot org fiasco as long as there is potential money to be made these benevolent dictorships will eventually go very bad. And that's ignoring all centralization making a very juicy target for government censorship.
Encrypt, yes. But also allow plaintext. The potential for a down-grade attack on a "secure" site is worth far less to the world than being able to communicate person to person without a corporate intermediary approving every bit.
I don't really agree. Firefox itself could run a free Certificate Authority if it ever came to that. Your scenario is much less likely, and much more easily fixable than the status quo where most websites don't bother exposing their site over HTTPS, creating huge security and privacy risks for consumers of said sites.
There is absolutely no reason not to have your site functioning over HTTPs these days, except negligence.
> try running `python3 http.server 8080` on a safe directory on your laptop, and see if you can easily access a file from it from your mobile
Works without a problem (I just tried python -m SimpleHTTPServer). You just have to type out the http://-part explicitly. Wow that would be annoying if they dropped http completly.
? I just tried it and it works fine. Firefox 84.1.1 on Android, connect to 192.168.x.y:8080 and it comes up and shows me a directory listing that I can navigate and open files from. (you missed the -m, BTW; it's `python3 -m http.server 8080`)
wouldn't it be much easier to use scp for that? there are plenty of android clients, and plenty of windows servers.
I just actually use synced storage (Synology Drive from a Synology NAS), so I would probably use a Dropbox like service for that functionality.
There's an app called droid transfer that basically does what you did with python (setup a server and have a simple download client), and there's also wireless ADB (which will require you to use the USB cable for the initial setup)
I think the point is e.g. being able to quickly share a file with a smartphone nearby, that is not yours. Not telling your co-workers to install on their phones some app foreign to them.
Not to mention many non-https sites have zero reason to be. A plain HTML portfolio site, for example, should not be flagged with a scary "insecure" logo because its content is not encrypted.
We need to protect the integrity of the information so that kit's not abused to serve malware or pages that exploit zero-day vulnerabilities to the end-user when they browse on an insecure network (which, if Snowden's publications are anything to go by, is every network).
HTTPS is not just confidentiality - security is confidentiality, integrity and availability.
HTTPS ensures the data isn't tampered during transport, but it doesn't ensure the integrity of the data itself. That's why there's things like Subresource Integrity (which doesn't apply to top-level resources like HTML).
However, there's no way to ensure the files we download are created by who they say they are. A domain for example can change hands and existing links say on HN can be loaded with unexpected, potentially malicious, content. Same for hacked servers.
IMO we need some form standard page signing to enforce actual integrity of information, not just transport. I made a proof-of-concept Web Extension to show how that might be possible using PGP [1]. Of course PGP has its own issues but it's just an experiment.
Okay, I'll bite. Let's say I'm loading a page over https, and you control the network but not the server (mitm). How exactly are you adding content to the page?
Attack the client's (or some sub-population of clients at some ISP) DNS resolver and point it towards other IPs that serve up a clone of the web interface with their own LE signed HTTPS but now with some new content too.
This is the same argument technique being used when people say, "Oh, but you can MITM HTTP!" Yes, a target attack of something beyond your webserver is bad. But it applies to HTTP and HTTPS.
Yeah, no; there's a world of difference between subverting the uplink for a single client (all that you need for altering unencrypted traffic) and subverting the network for your target/victim and multiple LE servers that are designed to resist this attack [0]. If your proposed attack worked, it would be font-page news because it'd undermine the security of ex. gmail/banks. HTTPS moves the bar from "bored script kiddies can do this"[1] to "would need a nation-state-level attack to subvert that many networks at once and we'd know about it because that scale of network redirection would not fly under the radar".
1. You 're the one that told me I had control of the client network as per MITM; don't move the goalposts.
2. You're overthinking this. I'm not talking about hijacking established sessions. I'm talking about never letting the authentic session start in the first place.
As soon as the attacker controls the DNS resolver it doesn't matter what security you have in place. The bank and the LE servers and all that can be perfectly secure. But if the client is going to the wrong IPs they never will interact with them. They'll only interact with the perfectly valid HTTPS hosts the attacker sets up.
My initial statement was that HTTPS would prevent a third party from adding malware to a site (implicitly, "as it was loaded"), to which pbalau responded "No it doesn't." Are you suggesting that our attacker can "just" compromise the victim's machine or the hosting server? Because that's true, but HTTPS is effective against network attacks. Deploying HTTPS also won't prevent someone from mugging you IRL, but that doesn't mean that it's not an effective security measure for what it does.
If we're talking about SSL Stripping, then 1. we're back to you needing to control the network, so apparently my goalposts are exactly in the right place, 2. that is at best partially effective (AFAIK, requires the victim to start from a non-HTTPS page, so again, we really want 100% of sites on HTTPS), and 3. that works specifically by getting the victim back onto insecure HTTP, so if you need that then it's proof of the effectiveness of HTTPS.
You're missing your very own point again. You guys are up in arms about potential attacks against the client or the network. Attacks that having nothing to do with the web server.
I am giving examples of how that class of attacks is not mitigated by HTTPS.
I am not talking about SSL stripping. I am talking about not even letting the client talk to the remote host because in the scenario where you MITM you have control of the network.
Assuming you own the DNS server and redirect traffic to a different IP address, how will your fake host provide the CA-verified certificate to the client?
How would you get a LE cert for a domain you don't control? Your proposed attack is thwarted by ACME challenges.
You could redirect the user to a HTTP site, but 1. that can be defeated by adding the domain to hsts preload list 2. This isn't replacing content of HTTPS site, but replacing HTTPS site with a HTTP one.
To actually pull your attack off, you'd need to add your own root certificate to the client device (which means you either tricked the super into doing it and could've as well tricked them into letting you take control of their device anyway, or actually had control of their device - in both cases MITM is pointless at that point), or trick a CA into issuing you a certificate for a domain you don't own/steal a CA's private keys - both of which are things that can easily kill a CA (see DigiNotar, which stopped existing same month the security breach was reported), and therefore obviously aren't easy to pull off.
Certs can be purchased for the price of a coffee or two and are generally trivia to implement — there’s really no reason NOT to upgrade these days, no matter how benign the content. And I say that as someone who still has a non-HTTPS portfolio site :)
Totally agree. I have an iPad app that runs an embedded http server, so that other clients on the same lan can connect to it. Making that into an embedded https server would be a big hassle.
The certificate management is the problem here. Let's say the server is running on 192.168.1.73, how do I get a certificate for that? On the next start of the app, the server might be running on 192.168.1.76, so I need another certificate for that. You see the problem? Also take into account that the entire infrastructure for solving that problem needs to run inside the iPad App, which needs to be accepted to the Apple store ...
The biggest hassle would be that the embedded HTTPS server needs a trusted certificate, but certificates are only issued for hostnames, not IP addresses. So the embedded HTTPS server's certificate and LAN clients would need to know the hostname of the device running the app.
Cloudflare manages to provide a certificate for https://1.1.1.1. (But not reserved ones; see [1].)
Aside from that, what is the purpose of this comment supposed to be? (The general tone reads as if its meant to refute the parent; did you intend it to be a reply to chrisseaton instead—and thus a defense of the HTTPS-complicates-things position?)
That's correct, some CAs issue certificates for public IPs. You're never ever going to get a cert for a private IP, since these are not globally unique.
This isn't saying anything not already covered in the material I referenced in my comment—although it does say it less precisely, so I'd argue on those grounds that all things considered this comment need not have been posted...
(In any case, I'm totally mystified about why my own comment that includes that link and corrects the untrue statement about it not being possible possible to get certificates for IPs was deemed to offend someone's sensibilities. Surely the offense, if there is one, is in the comment that makes an outright, verifiably untrue claim?)
I live in a rural area in North America, a stones throw away from a municipality of 160,000 people, and our internet is marginal. The constant push for https everywhere is making the web almost unusable for us. Https is being used to deliver fonts, javascript libraries, and images also over https from multiple domains all requiring multiple ssl negotiations. Usually one of these fonts/js/images times out, and as a result the entire page doesn't load.
I turned this on recently, and I don't think its a good idea, unless you're risk profile demands in - in which case you should be using something like Tails perhaps.
One interesting find was that close to 100% of all email tracking links are still on HTTP. None of the major email providers support HTTPS easily for those.
> When browsers will only display sites that are authorized by
corporations we're eventually going to be in big trouble
Likewise they removed support for unsigned add-ons. So you can't
just write a small private add-on without sending them your
private(!) code. Who needs freedom when you are so well "protected" :-(
Oh, come on. This is such bullshit. Firefox is now about marketing. Mozilla isn't doing anyone any favors except themselves by "saving us" from one group or groups by giving our privacy away to other groups of their choosing.
- Separately, break all extensions on the mobile version of firefox and then decree that the only extensions allowed on mobile must be specifically whitelisted by Mozilla
The number of tested extensions supported in Firefox for Android is growing and in the meantime you can install any extension from addons.mozilla.org in Firefox Nightly for Android:
Average user here. Not really interested in jumping through hoops to get addons that seem like they were arbitrarily taken from me. The mobile rewrite shouldn't've been released until it was actually ready, because average users _do not care_ about Mozilla's development convenience.
So... with the huge caveat that I don't actually believe this... if we're going full conspiracy theory, Google probably benefits the most from Firefox being as weak as possible while staying technically alive. That is, Firefox needs to stay technically an option to stave off antitrust issues, but evil-google doesn't want anybody to actually use them, so it's preferable that Firefox is as buggy and feature-poor as possible.
Again, not something I actually believe, but the presented position is at least internally consistent/valid.
And the elephant in the room is the tiny and ever-shrinking user base. Not only do they fail to confront this single, existentially threatening fact, but they don't even bring it up.
It's like the titanic captain listing all the features which will keep you comfortable for the second half of the voyage.
The world would be better if firefox could succeed, but it's increasingly difficult to even imagine what this would look like, or how it could come to pass.
> Adding more advertising to an end-user application
That concerns me on a technical level; Mozilla-the-organisation now has control over the tiles on the default New Tab page which people are accustomed to using as bookmarks.
It's feasible that a bad actor could use that vector to replace valid URLs with nefarious ones as part of targeted phishing.
The cloudflare thing is encrypted DNS, which I'm not sure Mozilla should be running it's own DNS. You can easily opt out our use your own DNS, but what's the better option? Google? You're ISP (Comcast? Lol!)?
The Mullvad (VPN) thing is completely optional and you have to opt in by paying money. You are not required to use a VPN. I'm not sure why anyone is even remotely upset by this at all. What's the issue? Honestly, I don't understand.
Both these companies have good track records. I'm not sure what the issue is here. #2 seems to be my only concern.
The VPN game is a grift. It's based on using fearmongering to sell services people don't need without adequately explaining the tradeoffs and risks. I lump it in the same category as multi-level marketing scams, and it's not something Mozilla should be involved in.
>- Investing in a 400% increase in leadership salaries and bonuses during record-low market share
Source? The last financial release detailed 2018, one year after Mozilla's highest revenue year. Additionally, their CEO resigned and I doubt Baker got a raise at all, certainly not for more than Chris Beard's salary.
The data is only as recent as 2018, indeed, but I don't have any reason to suspect that they've corrected course. It's an especially bad look when they're also laying off large swaths of their staff.
It's worth noting that in 2015 Mozilla negotiated a deal with Yahoo netting them an additional $100+ million a year. It makes sense that in 2016 the board would see a significant raise for however long their next contract is. I doubt this trend continues after 2018, when the sale of Yahoo saw a huge drop in revenue. They likely should have judged more on market share, but it's a fairly understandable move.
Also, that huge spike on the chart was roughly $4.5 million of the over $100 million in increased revenue.
> in 2015 Mozilla negotiated a deal with Yahoo netting them an additional $100+ million
... after spending years saying that the relationship with Google regarding search royalties was a serendipitous one that involved getting paid for a decision that was the right thing for users whether money was changing hands or not, and that the default search engine spot wasn't actually for sell.
That lie is not unlike their carefully crafted PR statements that were intended to mislead people about the financial arrangement regarding the Pocket partnership. Those efforts turned out to be so successful that they hoodwinked many of Mozilla Corporation's own employees—who interpreted the statements to mean that there was no financial incentive, just as it was intended to be interpreted by the general public. Then those employees began showing up on places like HN and started saying explicitly that there was no money changing hands, even though that's not what the PR statements ever said and reality actually differed.
>after spending years saying that the relationship with Google regarding search royalties was a serendipitous one that involved getting paid for a decision that was the right thing for users whether money was changing hands or not, and that the default search engine spot wasn't actually for sell.
What? The default search engine is unambiguously for sale, that's what Google (and other companies depending on your country) are buying. And it was the right decision to sell it to the highest bidder to fund development, when Yahoo bid more than Google they sold it to Yahoo.
I genuinely have no idea what point you are trying to make.
> I genuinely have no idea what point you are trying to make.
The point, as already stated, is that people who were official mouthpieces for Mozilla said for years that the default search engine simply wasn't up for sale to just whomever would pay for it. That it pointed to Google because Google's search engine was the best search engine for Firefox's users. Just like Google was the default search engine before Mozilla ever signed a deal. Just like Wikipedia was added to the searchbar without anyone paying to make it happen. That any royalties were icing on the cake. (See "serendipitous" in the previous comment). What's hard to understand about this or the earlier comment?
>is that people who were official mouthpieces for Mozilla said for years that the default search engine simply wasn't up for sale to just whomever would pay for it.
This is untrue. They openly stated they sold it to Google in 2008, and in 2011 a bidding war between Google, Microsoft, and Yahoo saw the price triple from 100 million to 300 million.[1]
Maybe at some point following a contract they had a generic "Google was the best choice" PR statement, but they've never hid that it was up for sale to whoever wanted it or that it made up most of their budget.
And even if they did say the royalties were icing on the cake, what would be wrong with then changing their policy to generate as much money for development as possible?
Look at your graph again. The usage dropped from 30% to 10% from 2010-2015, and 10% to 5% from 2015 to 2020. It doesn't seem clear that the staff had significantly raised the value of the product before the deal, and there is at least an argument to be made that the huge influx of cash stemmed the bleeding.
While I won't claim the leadership has been truly outstanding, I think the extreme criticism of their salary is unwarranted.
Pfft, please. The staff cuts are among the least offensive things done under the Mozilla name. Much more value was created earlier by unpaid volunteers who were rewarded by having their project hijacked by a Valley-inspired corporate mania concerned with breaking into the mobile market (with a strategy that would be generous to even refer to it as DOA). The size of staff at the time of the cuts is something that only came about because of the absurd growth of the corporation that has became the new face of Mozilla over the last 10 years. Mozilla is an incompetent, bloated organization in need of further cuts still. So it's hard to seriously consider the cuts to be either unfortunate or tragic, particularly given the obnoxious tendency of those on staff to "other" non-MoCo employees whose contributions and involvement predated the layer of corporate sleaze that has come to be emblematic of the modern day Mozilla. Should we feel sorry? The fact that we're even talking in terms of cuts and layoffs means that those affected at least got paid at some point for their role in Mozilla's descent.
The only bad thing about the layoffs is that Mozilla leadership was shitty enough to do it during the middle of a pandemic. At this point though, keep it coming. It's been a bittersweet experience watching the tide turn against Mozilla over the last year, as the popular perception of it has only just now begun to align with how unworthy of an organization it has been for years already.
When it pops up two (count 'em, 2) dialog boxes announcing it has crashed and would you like to have it re-started, that seems pretty unambiguous. It happens about every day, lately, often when I click the "new tab" button.
To be very precise, I use the Fennec build off of F-droid, so it may be trailing FF from the Play-store a bit. Sounds like an incident, not deteriorating quality in any case. I'm happy as a clam with FF/Fennec.
The last major redesign broke/removed "Undo Close Tab", with a promise to bring it back. I found that decision to be staggering. It's not even clear what purpose the update served, except as an example of the development approach that jwz assigned the epithet of "CADT" 15+ years ago.
I use Fennec from F-Droid as well. The redesign broke many features for me and rendered it near unusable (or actually unusable for certain tasks, like downloading files).
I love Firefox and hate the Chrome monopoly, but I'm so close to switching away. Most recently Firefox has been excruciatingly slow while Chromium was as fast as always, plus (likely WebRTC related) crashes every few hours
Please get your shit together, Mozilla. But it seems like their model for the future is to sell worse versions of 3rd party services with their logo ...
In some cases relying on Firefox as your main browser can turn out to be a sadomasochistic endeavor. Sadly though 100% of the web is written with Chrom(e/ium) in mind. Firefox lost the ball on this too long ago for it to come back on this. I can't help but see Firefox as a headless running chicken sometimes. And doesn't help matters that Mozilla doesn't care enough to at least try and take back some of it's former glory.
Mozilla blog posts read like hyperbolic corporate propaganda. The style is really off-putting to me. Grandiose claims with no authenticity. All the bad stuff and controversy gets quietly ignored. What about the layoffs? What about the executive pay? What about the obnoxious Chrome-sucking/mimicking URL bar? What about the certificate extirpation issue which NOBODY was ever held accountable for and for which it took MONTHS and MONTHS for a Friday-6PM-style oopsie announcement to even acknowledge.
A little bit of reasonable descent could give Mozilla a lot of authenticity, but they seem incapable of that level of humility.
Occasionally I see private blog/reddit/tweeter posts from employees, but never in an official manner, and always with a hint of trepidation that they could be fired for speaking out.
I appreciate Firefox and donate to Mozilla. If you like open source, consider donating to Mozilla Foundation or any other group that helps keep the free open internet working, such as Electronic Frontier Foundation (EFF), Free Software Foundation (FSF), Linux Foundation, etc.
The Mozilla Foundation minus Firefox doesn't seem like a good use of charitable funds compared to say, the EFF. For example, they funded this hit piece on P2P technology [0] and a browser extension to solicit complaints about YouTube recommendations [1]. Meanwhile they're laying off key developers and gutting the future of their core product, while paying execs bloated salaries to manage this array of white elephant advocacy projects.
How is donating directly to a project "perfect"? That's a pretty normal expectation, imo. Framing something normal as "perfect" is definitely a fallacy.
Would you really be OK with donating to a cause whose major service is their most visible one and for your money to instead go into mostly, completely different things? I'm not and therefore I won't donate to Mozilla. I donated to other projects with clear goals, limited scope and visible results - there are quite a few of those. If the firefox team decided to split from Mozilla or a team decided to build a browser upon a new browser engine (like quantum or whatever that new rust browser engine is), I'd be glad to donate directly to the project.
Mozilla leadership has proven that they are too scatterbrained and insensitive to reality to be trusted with donations. Their priorities aren't aligned with the ones stated by the org. I try my best not to give money to people like that.
But you cannot even donate to the Mozilla Corp (those who actually coordinate Firefox development), but to the Mozilla Foundation, which AFAIK does advocacy.
I honestly don't know if how much each 1$ donated to the Mozilla Foundation contributes to Firefox development, if at all.
Yeah, they used to do that for Thunderbird. I assume it wasn't worth the hassle, and unless you are donating a serious amount of money they won't agree to take on the risk involved.
Once upon a time, someone affiliated with Thunderbird project maintenance/governance posted a detailed reply to HN describing how hard it was to get Mozilla to release funds that it had been been collecting from Thunderbird donors. That comment is obviously not lost to the sands of time, but it has proven quite difficult to relocate.
It sounds like there was a period of time where the donations just sat there before a system was developed to allow Thunderbird total control. It's somewhat understandable, at the time Thunderbird shared many resources with Firefox but if some of the donation money was used for Firefox they'd break the terms of the donations.
This is nothing more than apologetics, and not even good apologetics. Instead, speculative apologetics, i.e. no solid footing by which to understand the premise.
Compared to "I'm pretty sure I read once things were bad." Sometimes things are hard, Thunderbird didn't seem very upset as they decided to stay with Mozilla during the period.
This is being done with the best of intentions but browsers scaremongering over HTTP sites as if they are dangerous is a bad thing. There is more to the web than commercial transactions!
Human people cannot feasibly be cert authorities. Only corporations can. When browsers will only display sites that are authorized by corporations we're eventually going to be in big trouble. Yes, LetsEncrypt is a benevolent corporation, yes there are even options beyond LE, but as we know from the dot org fiasco as long as there is potential money to be made these benevolent dictorships will eventually go very bad. And that's ignoring all centralization making a very juicy target for government censorship.
Encrypt, yes. But also allow plaintext. The potential for a down-grade attack on a "secure" site is worth far less to the world than being able to communicate person to person without a corporate intermediary approving every bit.