Re: Intent to deprecate: Insecure HTTP
On Friday, May 1, 2015 at 3:06:18 PM UTC-4, Richard Barnes wrote: > On Thu, Apr 30, 2015 at 9:50 PM, wrote: > > > > 1.Setting a date after which all new features will be available only to > > secure websites > > > > I propose the date to be one year after Let's Encrypt is launched, which > > is about mid-2016. > > > > I was hoping for something a little sooner, given that we're talking about > *future* stuff. But I'm open to discuss. Fully agree! After reconsidering, now I think mid-2016 is too conservative. Since the first step is only about limiting new features, no websites will be broken due to this change. Developers and users don't *have to* do anything before that date. And we don't have to cooperate with other browsers in choosing this date, since different browsers already implement different set of features today. So how about starting with Firefox 41, which will be released on September 22, 2015? Actually, it's better to enter phase 1 as soon as possible. People generally don't complain too much if a feature is not supported from the beginning, but do complain if the feature is dropped after it is widely used. ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to deprecate: Insecure HTTP
> 1.Setting a date after which all new features will be available only to > secure websites I propose the date to be one year after Let's Encrypt is launched, which is about mid-2016. By the way, I hope Mozilla's own official website (Mozilla.org) should move to HTTPS-only as soon as possible. Currently www.mozilla.org forces HTTPS, but many mozilla.org subdomains do not, such as http://people.mozilla.org/, http://release.mozilla.org/, and http://website-archive.mozilla.org. It will be great if *.Mozilla.org can be added to browsers' built-in HSTS list. ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to deprecate: Insecure HTTP
On Monday, April 13, 2015 at 8:57:41 PM UTC-4, northrupt...@gmail.com wrote: > > * Less scary warnings about self-signed certificates (i.e. treat > HTTPS+selfsigned like we do with HTTP now, and treat HTTP like we do with > HTTPS+selfsigned now); the fact that self-signed HTTPS is treated as less > secure than HTTP is - to put this as politely and gently as possible - a pile > of bovine manure This feature (i.e. opportunistic encryption) was implemented in Firefox 37, but unfortunately an implementation bug made HTTPS insecure too. But I guess Mozilla will fix it and make this feature available in a future release. > * Support for a decentralized (blockchain-based, ala Namecoin?) certificate > authority > > Basically, the current CA system is - again, to put this as gently and > politely as possible - fucking broken. Anything that forces the world to > rely on it exclusively is not a solution, but is instead just going to make > the problem worse. I don't think the current CA system is broken. The domain name registration is also centralized, but almost every website has a hostname, rather than using IP address, and few people complain about this. ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform