On Mon, Apr 13, 2015 at 7:13 PM, Karl Dubost <kdub...@mozilla.com> wrote:
> Richard, > > Le 13 avr. 2015 à 23:57, Richard Barnes <rbar...@mozilla.com> a écrit : > > There's pretty broad agreement that HTTPS is the way forward for the web. > > Yes, but that doesn't make deprecation of HTTP a consensus. > > > In order to encourage web developers to move from HTTP to HTTPS, I would > > like to propose establishing a deprecation plan for HTTP without > security. > > This is not encouragement. This is call forcing. ^_^ Just that we are > using the right terms for the right thing. > If so, then it's about the most gentle forcing we could do. If your web page works today over HTTP, it will continue working for a long time, O(years) probably, until we get around to removing features you care about. The idea of this proposal is to start communicating to web site operators that in the *long* run, HTTP will no longer be viable, while giving them time to transition. > In the document > > > https://docs.google.com/document/d/1IGYl_rxnqEvzmdAP9AJQYY2i2Uy_sW-cg9QI9ICe-ww/edit?usp=sharing > > You say: > Phase 3: Essentially all of the web is HTTPS. > > I understand this is the last hypothetical step, but it sounds like a bit > let's move the Web to XML. It didn't work out very well. > The lack of XML doesn't enable things like the Great Cannon. https://citizenlab.org/2015/04/chinas-great-cannon/ > I would love to have a more secure Web, but this can not happen without a > few careful consideration. > > * Third tier person for certificates being mandatory is a no-go. It > creates a system of authority and power, an additional layer of hierarchy > which deeply modify the ability for anyone to publish and might in some > circumstances increase the security risk. > > * If we have to rely, cost of certificates must be zero. These for the > simple reason than not everyone is living in a rich industrialized country. > There are already multiple sources of free publicly-trusted certificates, with more on the way. https://www.startssl.com/ https://buy.wosign.com/free/ https://blog.cloudflare.com/introducing-universal-ssl/ https://letsencrypt.org/ > * Setup and publication through HTTPS should be as easy as HTTP. The Web > brought a publishing power to any individuals. Imagine cases where you need > to create a local network, web developing on your computer, hacking a > server for your school, community, etc. If it relies on a heavy process, it > will not happen. > I agree that we should work on this, and Let's Encrypt is making a big push in this direction. However, we're not that far off today. Most hosting platforms already allow HTTPS with only a few more clicks. If you're running your own server, there's lots of documentation, including documentation provided by Mozilla: https://mozilla.github.io/server-side-tls/ssl-config-generator/?1 In other words, this is a gradual plan, and while you've raised some important things to work on, they shouldn't block us getting started. --Richard > > > So instead of a plan based on technical features, I would love to see a: > "Let's move to a secure Web. What are the user scenarios, we need to solve > to achieve that." > > These user scenarios are economical, social, etc. > > > my 2 cents. > So yes, but not the way it is introduced and plan now. > > > -- > Karl Dubost, Mozilla > http://www.la-grange.net/karl/moz > > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform