Plain HTTP Will Be Deprecated And Killed
Plain HTTP Will Be Deprecated And Killed
https://blog.mozilla.org/security/2015/ ... cure-http/
Anyone else think this is a bad idea?
It'll eventually completely cut off people's ability to view some older sites. And IMO providing different feature sets to HTTP sites vs HTTPS sites is just asking to create weird issues...
Oh, and thanks guys for making me need to add some form HTTPS support to my local server (where the connection only runs between my computer and my computer, not outside that). sigh.. now how to set up HTTPS without paying money...
Now if they were to make this deal default with an about:config-only option to keep plain HTTP, I wouldn't be saying it's a bad idea...
Anyone else think this is a bad idea?
It'll eventually completely cut off people's ability to view some older sites. And IMO providing different feature sets to HTTP sites vs HTTPS sites is just asking to create weird issues...
Oh, and thanks guys for making me need to add some form HTTPS support to my local server (where the connection only runs between my computer and my computer, not outside that). sigh.. now how to set up HTTPS without paying money...
Now if they were to make this deal default with an about:config-only option to keep plain HTTP, I wouldn't be saying it's a bad idea...
*Always* check the changelogs BEFORE updating that important software!
-
Re: Plain HTTP Will Be Deprecated And Killed
Anything wrong with a self-signed certificate?barbaz wrote:now how to set up HTTPS without paying money...
I think that something like viewtopic.php?f=19&t=20805 should be developed before killing off HTTP altogether.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Plain HTTP Will Be Deprecated And Killed
I understand this is a huge part of the dealbarbaz wrote:now how to set up HTTPS without paying money...
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Re: Plain HTTP Will Be Deprecated And Killed
That would be fine (actually, the ideal solution in this case), except for this.Thrawn wrote:Anything wrong with a self-signed certificate?
(But I'm not completely sure that bug applies to HTTPS. If I replace my existing (default) certificate and set up my server to do HTTPS, I can confirm a security exception for HTTPS connections... only done cursory testing so far though.)
Thanks for the suggestion, but while that would work for an actual site admin, it sounds like it wouldn't work for the setup I've got...Giorgio Maone wrote:I understand this is a huge part of the dealbarbaz wrote:now how to set up HTTPS without paying money...
*Always* check the changelogs BEFORE updating that important software!
-
Re: Plain HTTP Will Be Deprecated And Killed
Can you import the certificate into the trust store properly, instead of just making a security exception?barbaz wrote:That would be fine (actually, the ideal solution in this case), except for this.Thrawn wrote:Anything wrong with a self-signed certificate?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Re: Plain HTTP Will Be Deprecated And Killed
I don't know how to do that, and given the nature of what I do with that server, the certificate could be subject to change at any time...Thrawn wrote:Can you import the certificate into the trust store properly, instead of just making a security exception?
Also would this involve a modification to my profile only? If not, if it involves modifying my SeaMonkey install dir or build, it'll be really impractical.
*Always* check the changelogs BEFORE updating that important software!
-
Re: Plain HTTP Will Be Deprecated And Killed
Well, I don't know Seamonkey, but on (Ubuntu) Firefox, it's Edit - Preferences - Advanced - Certificates - Import.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Re: Plain HTTP Will Be Deprecated And Killed
Thanks, that's enough of a hint for me to find it: SeaMonkey Preferences > Privacy & Security > Certificates > Manage Certificates...
Now to see what it actually does...
Now to see what it actually does...
*Always* check the changelogs BEFORE updating that important software!
-
Re: Plain HTTP Will Be Deprecated And Killed
How well do you know security certificates?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Re: Plain HTTP Will Be Deprecated And Killed
Even grabbing my cert via sftp and importing it doesn't work, it still wants a security exception.
Not very well. This is the first time I've dealt with this stuff on the server side.Thrawn wrote:How well do you know security certificates?
*Always* check the changelogs BEFORE updating that important software!
-
Re: Plain HTTP Will Be Deprecated And Killed
And indeed, more playing with it indicates that HTTPS security exceptions are separate from mail security exceptions - or at least, not affected by the same problem as mail security exceptions. Looks like I will be able to get a self-signed certificate working after all.barbaz wrote:(But I'm not completely sure that bug applies to HTTPS. If I replace my existing (default) certificate and set up my server to do HTTPS, I can confirm a security exception for HTTPS connections... only done cursory testing so far though.)
*Always* check the changelogs BEFORE updating that important software!
-
Re: Plain HTTP Will Be Deprecated And Killed
Self-signed certificates can be imported as Certificate Authorities, just like the built-in authorities. In fact, every root authority is self-signed (by definition). In cases where you control the certificate yourself, it's a much better approach than adding exceptions: you don't get certificate warning fatigue, you'll know if it somehow changes, you can use Strict Transport Security, etc.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Re: Plain HTTP Will Be Deprecated And Killed
Ah, I was trying to import it as a server certificate. Works if I import it as an authority. Thanks
*Always* check the changelogs BEFORE updating that important software!
-
Re: Plain HTTP Will Be Deprecated And Killed
Now this is odd... if I play with my test phpBB 3.0 board over the https connection, it works for a while... but then abruptly borks? And restarting the browser (doing nothing on the server side) gets it back again?
(Plain HTTP seems unaffected.)
Nothing related in the Error Console.
HTTPFox log (same for any URL on my server, but I could swear the first time this happened, only my local test board was affected):
(I have not tried accessing my local phpBB 3.1 test board, but I suspect that would not work either.)
There are a few things I can think to try that I haven't tried yet, but throwing this out there anyway - even if I do find the answer on my own, it might help someone else.
(Wonder if it could even be a bug in VirtualBox 4.3.26 host-only network that I'm using to connect to my server?)
(Plain HTTP seems unaffected.)
Yeah, contacting myself is totally going to get this solved.Secure Connection Failed
The connection to [MY_SERVER'S_IP] has terminated unexpectedly. Some data may have been transferred.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
Nothing related in the Error Console.
HTTPFox log (same for any URL on my server, but I could swear the first time this happened, only my local test board was affected):
Code: Select all
XX:XX:XX.XXX 0.082 414 0 GET (Error) NS_ERROR_NET_INTERRUPT https://[MY_SERVER'S_IP]/
XX:XX:XX.XXX * 263/263 * GET * * https://[MY_SERVER'S_IP]/favicon.ico
There are a few things I can think to try that I haven't tried yet, but throwing this out there anyway - even if I do find the answer on my own, it might help someone else.
(Wonder if it could even be a bug in VirtualBox 4.3.26 host-only network that I'm using to connect to my server?)
*Always* check the changelogs BEFORE updating that important software!
-
Re: Plain HTTP Will Be Deprecated And Killed
Not relevant.barbaz wrote:if I play with my test phpBB 3.0 board over the https connection, it works for a while...
Load a page on the server via HTTPS, wait a while, refresh it... and that's enough to produce that error. Puzzling
[EDIT Probably not relevant, but all this is with my certificate imported as an authority, not as a security exception.]
*Always* check the changelogs BEFORE updating that important software!
-