There had better be an about:config option to turn this stupidity off.
Perhaps one of the downvoters can explain why the implied opinion "Nobody should be able to access your site without clearance from a third-party gatekeeper" belongs on a site called "Hacker News."
And no, it won't be opt-in for long. Read the rest of the page: "Once HTTPS becomes even more widely supported by websites than it is today, we expect it will be possible for web browsers to deprecate HTTP connections and require HTTPS for all websites. In summary, HTTPS-Only Mode is the future of web browsing!"
This is something you should be speaking up against.
> Perhaps one of the downvoters can explain why the implied opinion "Nobody should be able to access your site without clearance from a third-party gatekeeper" belongs on a site called "Hacker News."
I didn't vote down, but ironically this is news to real hackers who will have a harder time doing mitm downgrade attacks once this is widespread.
I believe that web browsers should alert users if a website uses a less secure protocol than "nearly all" of the rest of the websites they visit, for some value of "nearly all".
It's not preventing the user from visiting, just saying "heads up, the assumptions you make about the websites you visit don't hold for this one."
Which means any pure HTML resources would either have to rely on let’s encrypt or pony up some certificate money. So basically a death knell for homepages.
especially if the diplayed warning looks like a "ThIs Is An InSeCuRe SiTe" warning.
self signed cert? WaRnInG!!!111eleven
no https? WaRnInG!!!111eleven
cert expired 2 hours ago? WaRnInG!!!111eleven
HTTPS is not about gatekeeping, you can use "let's encrypt" for free certificates for any domain.
HTTPS-only is about forcing all traffic to be encrypted by banning clear-text traffic. I've been using the "HTTPS everywhere" extension for years and it's great.
yes it is. someone has to give you a certificate which the users browser accepts. even if its free today.
lets say a simple website which someone uses to display some holiday pictures. why would we need https here, if there is no login or anything like that?
it just adds an extra hurdle for not so tech-savvy users and increases the trend to abolish small private websites.
I don't know. Let's say that some non-technical family member goes to this site intending to look at vacation pictures.
Imagine if those pictures have been replaced by something else. If you can't think of a long list of replacement images that could be very useful for a spearphishing attack, then you're not having enough imagination.
This attack could also be used to get the poster of the photos in trouble.
If my choices are to implement a security control which forces a layer of security, or forgo that security control so Alice can upload her Holiday pictures to a host which doesn’t support HTTPS either, I know which one I’ll pick. Alice should either host her photos on Instagram, or learn how to run letsencrypt.
The day where certs are no longer freely obtainable is the day another self governed free TLS provider will appear and force their way into the market by providing installers to inject CAs into system cert stores.
> That's already pointless on Android, user-installed CAs are ignored by default unless an app developer opts in to using them.
And? App developers should opt in to ignoring transport security. I’m sure a bunch of Android shitware attempts to install CAs either via user interaction or exploitation.
> Once we go down this path there's no turning back to the user-centric Web of the 1990s / 2000s
The landscape we live in now is very different to then. I’m all for a free web, but not at the cost of security. The web is now a multi billion trillion dollar industry. Weakening security just so Bob can see Alices’ holiday pics in situation where Alice can’t figure out letsencrypt, is frankly unhinged.
If you want a ‘free web’ you’re welcome to disable any HTTPS enforcement and disable TLS cert checking entirely. Hell, fork a browser, be very clear about the security weaknesses and publish on github if you feel that strongly, I’ll even star it for you.
The web is now a multi billion trillion dollar industry.
Maybe your web service is, but mine isn't. Mine is a specialized embedded device server that now has an expiration date for no reason on God's green earth.
As a visitor to the website, how can I be sure it's only holiday pictures ? If I get to your friendly website and it asks me for private information, and I'm willing to give it because I trust you, what tells me only you will receive it ? How do I know it's your holiday pictures, and not some scam someone else wants to trick me into ?
But you don't know if it's the real content. There's a problem even before entering information. What tells me it's your holiday pictures and not someone else's, and a person in the middle wants to tarnish your name ? What if your ISP/your hosting provider adds ads in the page, or a MiTM adds a link to a scam site ?
Of all the parts invloved in setting up a web server, is adding a letsencrypt a significant further barrier? In what situation would a non-tech-savvy user ever be doing that in the first place?
Hint: not all web servers run inside Facebook or Google or Amazon data centers. Some of them run inside individual devices, which will now end up in the landfill once their certificates expire. Many such devices were, and are, just fine running plain old HTTP, but now they're all going to be subject to service life limits imposed by a third-party authority.
This is not how this was supposed to work. This is not how any of this was supposed to work. But it's hard to voice any objections over the proverbial thunderous applause.
> HTTPS-only is about forcing all traffic to be encrypted by banning clear-text traffic
Banning clear text might work for browsers but it would disable ACME clients that rely on plain http to initiate a certificate request from Let's Encrypt.
You can use let's encrypt... until you can't. And then, after all browsers had deprecated HTTP, it will be time to seriously rake all website owners for certificate money. It is pretty brilliant, if you ask me.
At first it's opt-in then it becomes the default setting.
Are you a developer? If you are then you should be used to thinking at least 2 steps ahead and just seeing what's literally visible in front of you.
I kind of agree, I don't want to have to click through warnings all the time to do my job. Just re-architect everything to have legit public domain names and network access to get a let's encrypt cert, yeah right I'll get right on that.
Perhaps one of the downvoters can explain why the implied opinion "Nobody should be able to access your site without clearance from a third-party gatekeeper" belongs on a site called "Hacker News."
And no, it won't be opt-in for long. Read the rest of the page: "Once HTTPS becomes even more widely supported by websites than it is today, we expect it will be possible for web browsers to deprecate HTTP connections and require HTTPS for all websites. In summary, HTTPS-Only Mode is the future of web browsing!"
This is something you should be speaking up against.