Page 1 of 2
Plain HTTP Will Be Deprecated And Killed
Posted: Sat May 30, 2015 5:55 am
by barbaz
https://blog.mozilla.org/security/2015/ ... cure-http/
Anyone else think this is a bad idea?
It'll eventually completely cut off people's ability to view some older sites. And IMO providing different feature sets to HTTP sites vs HTTPS sites is just asking to create weird issues...
Oh, and thanks guys for making me
need to add some form HTTPS support to my local server (where the connection only runs between my computer and my computer, not outside that). sigh.. now how to set up HTTPS without paying money...
Now if they were to make this deal default with an about:config-only option to keep plain HTTP, I wouldn't be saying it's a bad idea...
Re: Plain HTTP Will Be Deprecated And Killed
Posted: Sun May 31, 2015 11:55 pm
by Thrawn
barbaz wrote:now how to set up HTTPS without paying money...
Anything wrong with a self-signed certificate?
I think that something like
viewtopic.php?f=19&t=20805 should be developed before killing off HTTP altogether.
Re: Plain HTTP Will Be Deprecated And Killed
Posted: Mon Jun 01, 2015 12:44 am
by Giorgio Maone
barbaz wrote:now how to set up HTTPS without paying money...
I understand
this is a huge part of the deal 
Re: Plain HTTP Will Be Deprecated And Killed
Posted: Mon Jun 01, 2015 1:41 am
by barbaz
Thrawn wrote:Anything wrong with a self-signed certificate?
That would be fine (actually, the ideal solution in this case), except for
this.
(But I'm not completely sure that bug applies to HTTPS. If I replace my existing (default) certificate and set up my server to do HTTPS, I can confirm a security exception for HTTPS connections... only done cursory testing so far though.)
Thanks for the suggestion, but while that would work for an actual site admin, it sounds like it wouldn't work for the setup I've got...
Re: Plain HTTP Will Be Deprecated And Killed
Posted: Mon Jun 01, 2015 6:14 am
by Thrawn
barbaz wrote:Thrawn wrote:Anything wrong with a self-signed certificate?
That would be fine (actually, the ideal solution in this case), except for
this.
Can you import the certificate into the trust store properly, instead of just making a security exception?
Re: Plain HTTP Will Be Deprecated And Killed
Posted: Mon Jun 01, 2015 4:24 pm
by barbaz
Thrawn wrote:Can you import the certificate into the trust store properly, instead of just making a security exception?
I don't know how to do that, and given the nature of what I do with that server, the certificate could be subject to change at any time...
Also would this involve a modification to my profile only? If not, if it involves modifying my SeaMonkey install dir or build, it'll be really impractical.
Re: Plain HTTP Will Be Deprecated And Killed
Posted: Mon Jun 01, 2015 10:26 pm
by Thrawn
Well, I don't know Seamonkey, but on (Ubuntu) Firefox, it's Edit - Preferences - Advanced - Certificates - Import.
Re: Plain HTTP Will Be Deprecated And Killed
Posted: Mon Jun 01, 2015 10:29 pm
by barbaz
Thanks, that's enough of a hint for me to find it: SeaMonkey Preferences > Privacy & Security > Certificates > Manage Certificates...
Now to see what it actually does...
Re: Plain HTTP Will Be Deprecated And Killed
Posted: Mon Jun 01, 2015 10:30 pm
by Thrawn
How well do you know security certificates?
Re: Plain HTTP Will Be Deprecated And Killed
Posted: Mon Jun 01, 2015 10:48 pm
by barbaz
Even grabbing my cert via sftp and importing it doesn't work, it still wants a security exception.
Thrawn wrote:How well do you know security certificates?
Not very well. This is the first time I've dealt with this stuff on the server side.
Re: Plain HTTP Will Be Deprecated And Killed
Posted: Mon Jun 01, 2015 11:26 pm
by barbaz
barbaz wrote:(But I'm not completely sure that bug applies to HTTPS. If I replace my existing (default) certificate and set up my server to do HTTPS, I can confirm a security exception for HTTPS connections... only done cursory testing so far though.)
And indeed, more playing with it indicates that HTTPS security exceptions are separate from mail security exceptions - or at least, not affected by the same problem as mail security exceptions. Looks like I will be able to get a self-signed certificate working after all.
Re: Plain HTTP Will Be Deprecated And Killed
Posted: Tue Jun 02, 2015 11:19 pm
by Thrawn
Self-signed certificates can be imported as Certificate Authorities, just like the built-in authorities. In fact, every root authority is self-signed (by definition). In cases where you control the certificate yourself, it's a much better approach than adding exceptions: you don't get certificate warning fatigue, you'll know if it somehow changes, you can use Strict Transport Security, etc.
Re: Plain HTTP Will Be Deprecated And Killed
Posted: Wed Jun 03, 2015 12:17 am
by barbaz
Ah, I was trying to import it as a server certificate. Works if I import it as an authority. Thanks
Re: Plain HTTP Will Be Deprecated And Killed
Posted: Wed Jun 03, 2015 2:51 am
by barbaz
Now this is odd... if I play with my test phpBB 3.0 board over the https connection, it works for a while... but then abruptly borks? And restarting the browser (doing nothing on the server side) gets it back again?
(Plain HTTP seems unaffected.)
Secure Connection Failed
The connection to [MY_SERVER'S_IP] has terminated unexpectedly. Some data may have been transferred.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
Yeah, contacting myself is totally going to get this solved.
Nothing related in the Error Console.
HTTPFox log (same for any URL on my server, but I could swear the first time this happened, only my local test board was affected):
Code: Select all
XX:XX:XX.XXX 0.082 414 0 GET (Error) NS_ERROR_NET_INTERRUPT https://[MY_SERVER'S_IP]/
XX:XX:XX.XXX * 263/263 * GET * * https://[MY_SERVER'S_IP]/favicon.ico
(I have not tried accessing my local phpBB 3.1 test board, but I suspect that would not work either.)
There are a few things I can think to try that I haven't tried yet, but throwing this out there anyway - even if I do find the answer on my own, it might help someone else.
(Wonder if it could even be a bug in VirtualBox 4.3.26 host-only network that I'm using to connect to my server?)
Re: Plain HTTP Will Be Deprecated And Killed
Posted: Wed Jun 03, 2015 3:13 am
by barbaz
barbaz wrote:if I play with my test phpBB 3.0 board over the https connection, it works for a while...
Not relevant.
Load a page on the server via HTTPS, wait a while, refresh it... and that's enough to produce that error. Puzzling
[EDIT Probably not relevant, but all this is with my certificate imported as an authority, not as a security exception.]