Plain HTTP Will Be Deprecated And Killed

General discussion about web technology.
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Plain HTTP Will Be Deprecated And Killed

Post by barbaz »

https://blog.mozilla.org/security/2015/ ... cure-http/

Anyone else think this is a bad idea?
It'll eventually completely cut off people's ability to view some older sites. And IMO providing different feature sets to HTTP sites vs HTTPS sites is just asking to create weird issues...
Oh, and thanks guys for making me need to add some form HTTPS support to my local server (where the connection only runs between my computer and my computer, not outside that). sigh.. now how to set up HTTPS without paying money...

Now if they were to make this deal default with an about:config-only option to keep plain HTTP, I wouldn't be saying it's a bad idea...
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Plain HTTP Will Be Deprecated And Killed

Post by Thrawn »

barbaz wrote:now how to set up HTTPS without paying money...
Anything wrong with a self-signed certificate?

I think that something like viewtopic.php?f=19&t=20805 should be developed before killing off HTTP altogether.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Plain HTTP Will Be Deprecated And Killed

Post by Giorgio Maone »

barbaz wrote:now how to set up HTTPS without paying money...
I understand this is a huge part of the deal ;)
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Plain HTTP Will Be Deprecated And Killed

Post by barbaz »

Thrawn wrote:Anything wrong with a self-signed certificate?
That would be fine (actually, the ideal solution in this case), except for this.
(But I'm not completely sure that bug applies to HTTPS. If I replace my existing (default) certificate and set up my server to do HTTPS, I can confirm a security exception for HTTPS connections... only done cursory testing so far though.)
Giorgio Maone wrote:
barbaz wrote:now how to set up HTTPS without paying money...
I understand this is a huge part of the deal ;)
Thanks for the suggestion, but while that would work for an actual site admin, it sounds like it wouldn't work for the setup I've got...
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Plain HTTP Will Be Deprecated And Killed

Post by Thrawn »

barbaz wrote:
Thrawn wrote:Anything wrong with a self-signed certificate?
That would be fine (actually, the ideal solution in this case), except for this.
Can you import the certificate into the trust store properly, instead of just making a security exception?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Plain HTTP Will Be Deprecated And Killed

Post by barbaz »

Thrawn wrote:Can you import the certificate into the trust store properly, instead of just making a security exception?
I don't know how to do that, and given the nature of what I do with that server, the certificate could be subject to change at any time... :?
Also would this involve a modification to my profile only? If not, if it involves modifying my SeaMonkey install dir or build, it'll be really impractical.
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Plain HTTP Will Be Deprecated And Killed

Post by Thrawn »

Well, I don't know Seamonkey, but on (Ubuntu) Firefox, it's Edit - Preferences - Advanced - Certificates - Import.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Plain HTTP Will Be Deprecated And Killed

Post by barbaz »

Thanks, that's enough of a hint for me to find it: SeaMonkey Preferences > Privacy & Security > Certificates > Manage Certificates...
Now to see what it actually does...
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Plain HTTP Will Be Deprecated And Killed

Post by Thrawn »

How well do you know security certificates?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Plain HTTP Will Be Deprecated And Killed

Post by barbaz »

Even grabbing my cert via sftp and importing it doesn't work, it still wants a security exception.
Thrawn wrote:How well do you know security certificates?
Not very well. This is the first time I've dealt with this stuff on the server side.
*Always* check the changelogs BEFORE updating that important software!
-
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Plain HTTP Will Be Deprecated And Killed

Post by barbaz »

barbaz wrote:(But I'm not completely sure that bug applies to HTTPS. If I replace my existing (default) certificate and set up my server to do HTTPS, I can confirm a security exception for HTTPS connections... only done cursory testing so far though.)
And indeed, more playing with it indicates that HTTPS security exceptions are separate from mail security exceptions - or at least, not affected by the same problem as mail security exceptions. Looks like I will be able to get a self-signed certificate working after all. 8-)
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Plain HTTP Will Be Deprecated And Killed

Post by Thrawn »

Self-signed certificates can be imported as Certificate Authorities, just like the built-in authorities. In fact, every root authority is self-signed (by definition). In cases where you control the certificate yourself, it's a much better approach than adding exceptions: you don't get certificate warning fatigue, you'll know if it somehow changes, you can use Strict Transport Security, etc.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Plain HTTP Will Be Deprecated And Killed

Post by barbaz »

Ah, I was trying to import it as a server certificate. Works if I import it as an authority. Thanks :D
*Always* check the changelogs BEFORE updating that important software!
-
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Plain HTTP Will Be Deprecated And Killed

Post by barbaz »

Now this is odd... if I play with my test phpBB 3.0 board over the https connection, it works for a while... but then abruptly borks? And restarting the browser (doing nothing on the server side) gets it back again?
(Plain HTTP seems unaffected.)
Secure Connection Failed

The connection to [MY_SERVER'S_IP] has terminated unexpectedly. Some data may have been transferred.

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Please contact the website owners to inform them of this problem.
Yeah, contacting myself is totally going to get this solved. :lol:

Nothing related in the Error Console.
HTTPFox log (same for any URL on my server, but I could swear the first time this happened, only my local test board was affected):

Code: Select all

XX:XX:XX.XXX	0.082	414	0	GET	(Error)	NS_ERROR_NET_INTERRUPT	https://[MY_SERVER'S_IP]/
XX:XX:XX.XXX	*	263/263	*	GET	*	*	https://[MY_SERVER'S_IP]/favicon.ico
(I have not tried accessing my local phpBB 3.1 test board, but I suspect that would not work either.)

There are a few things I can think to try that I haven't tried yet, but throwing this out there anyway - even if I do find the answer on my own, it might help someone else.
(Wonder if it could even be a bug in VirtualBox 4.3.26 host-only network that I'm using to connect to my server?)
*Always* check the changelogs BEFORE updating that important software!
-
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Plain HTTP Will Be Deprecated And Killed

Post by barbaz »

barbaz wrote:if I play with my test phpBB 3.0 board over the https connection, it works for a while...
Not relevant.
Load a page on the server via HTTPS, wait a while, refresh it... and that's enough to produce that error. Puzzling Image

[EDIT Probably not relevant, but all this is with my certificate imported as an authority, not as a security exception.]
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply