----- Original Message ----- > From: "David E. Ross" <nobody@nowhere.invalid> > To: mozilla-dev-security-pol...@lists.mozilla.org > Sent: Sunday, 20 July, 2014 4:39:09 AM > Subject: Re: Proposal: Switch generic icon to negative feedback for non-https > sites > > On 7/19/2014 11:54 AM, Daniel Roesler wrote: > > Howdy all, > > > > Yesterday, I created a bug proposing that Firefox switch the generic > > url icon to a negative feedback icon for non-https sites. > > > > https://bugzilla.mozilla.org/show_bug.cgi?id=1041087 > > > > I created this bug because it's time we start treating insecure > > connections as a Bug. There is so much open wifi available to the > > modern internet user that a significant portion Firefox users' > > requests can be sniffed. If that request is insecure, it makes session > > hijacking, MITM, and metadata attacks trivially easy. Not using https > > should now be bad practice and considered harmful. > > > > Mozilla should be a leader and push websites to start securing their > > connections. Many of the largest websites already default to https, > > and it's time to start bringing the rest on board. Having negative > > feedback for insecure connections offers a huge incentive to fixing > > the larger Bug of insecure connections. > > > > Thanks and looking forward to any discussion, > > Daniel Roesler > > diaf...@gmail.com > > > > Your concept would cast a negative shadow over many non-commercial Web > sites, blogs, and legitimate freeware sources. Are you willing to pay > the cost of site certificates for such sites? How about just the cost > of a site certificate for my own site? I have no advertising on my site > and thus no revenues to pay for a certificate. > > Yes, I know there are some certification authorities that issue free > certificates. For various reasons, I have marked many of their root > certificates as untrusted. >
I was able to get a certificate for a year for $3 that links up to COMODO CA. That was without any promotions or coupons - regular price. You need to pay few times more for hosting than you need to pay for certificates. Also, while you might have marked them as untrusted, I'm sure that the vast majority (over 99%) of users didn't. Rightfully so. They are not supposed to thwart any and all attacks. They are there so that trivial attacks can't be launched. There are about 1000 CA's that are trusted by Firefox (by linking up to root CA certs or by being in the root store directly), how many of them have you marked as untrustworthy? +1 on the idea of starting treating HTTP as insecure and while we're at it, let's get rid of those warnings about self signed certificates -- they are less insecure than HTTP (Firefox actually uses certificate pinning for sites with previously waived cert problems!) so let's not treat them worse than HTTP connections -- Regards, Hubert Kario _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
