Plain HTTP Will Be Deprecated And Killed

General discussion about web technology.

Plain HTTP Will Be Deprecated And Killed

Postby barbaz » Sat May 30, 2015 5:55 am

https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/

Anyone else think this is a bad idea?
It'll eventually completely cut off people's ability to view some older sites. And IMO providing different feature sets to HTTP sites vs HTTPS sites is just asking to create weird issues...
Oh, and thanks guys for making me need to add some form HTTPS support to my local server (where the connection only runs between my computer and my computer, not outside that). sigh.. now how to set up HTTPS without paying money...

Now if they were to make this deal default with an about:config-only option to keep plain HTTP, I wouldn't be saying it's a bad idea...
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7102
Joined: Sat Aug 03, 2013 5:45 pm

Re: Plain HTTP Will Be Deprecated And Killed

Postby Thrawn » Sun May 31, 2015 11:55 pm

barbaz wrote:now how to set up HTTPS without paying money...

Anything wrong with a self-signed certificate?

I think that something like viewtopic.php?f=19&t=20805 should be developed before killing off HTTP altogether.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
User avatar
Thrawn
Senior Member
 
Posts: 3020
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia

Re: Plain HTTP Will Be Deprecated And Killed

Postby Giorgio Maone » Mon Jun 01, 2015 12:44 am

barbaz wrote:now how to set up HTTPS without paying money...

I understand this is a huge part of the deal ;)
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8120
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: Plain HTTP Will Be Deprecated And Killed

Postby barbaz » Mon Jun 01, 2015 1:41 am

Thrawn wrote:Anything wrong with a self-signed certificate?

That would be fine (actually, the ideal solution in this case), except for this.
(But I'm not completely sure that bug applies to HTTPS. If I replace my existing (default) certificate and set up my server to do HTTPS, I can confirm a security exception for HTTPS connections... only done cursory testing so far though.)

Giorgio Maone wrote:
barbaz wrote:now how to set up HTTPS without paying money...

I understand this is a huge part of the deal ;)

Thanks for the suggestion, but while that would work for an actual site admin, it sounds like it wouldn't work for the setup I've got...
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7102
Joined: Sat Aug 03, 2013 5:45 pm

Re: Plain HTTP Will Be Deprecated And Killed

Postby Thrawn » Mon Jun 01, 2015 6:14 am

barbaz wrote:
Thrawn wrote:Anything wrong with a self-signed certificate?

That would be fine (actually, the ideal solution in this case), except for this.

Can you import the certificate into the trust store properly, instead of just making a security exception?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
User avatar
Thrawn
Senior Member
 
Posts: 3020
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia

Re: Plain HTTP Will Be Deprecated And Killed

Postby barbaz » Mon Jun 01, 2015 4:24 pm

Thrawn wrote:Can you import the certificate into the trust store properly, instead of just making a security exception?

I don't know how to do that, and given the nature of what I do with that server, the certificate could be subject to change at any time... :?
Also would this involve a modification to my profile only? If not, if it involves modifying my SeaMonkey install dir or build, it'll be really impractical.
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7102
Joined: Sat Aug 03, 2013 5:45 pm

Re: Plain HTTP Will Be Deprecated And Killed

Postby Thrawn » Mon Jun 01, 2015 10:26 pm

Well, I don't know Seamonkey, but on (Ubuntu) Firefox, it's Edit - Preferences - Advanced - Certificates - Import.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
User avatar
Thrawn
Senior Member
 
Posts: 3020
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia

Re: Plain HTTP Will Be Deprecated And Killed

Postby barbaz » Mon Jun 01, 2015 10:29 pm

Thanks, that's enough of a hint for me to find it: SeaMonkey Preferences > Privacy & Security > Certificates > Manage Certificates...
Now to see what it actually does...
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7102
Joined: Sat Aug 03, 2013 5:45 pm

Re: Plain HTTP Will Be Deprecated And Killed

Postby Thrawn » Mon Jun 01, 2015 10:30 pm

How well do you know security certificates?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
User avatar
Thrawn
Senior Member
 
Posts: 3020
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia

Re: Plain HTTP Will Be Deprecated And Killed

Postby barbaz » Mon Jun 01, 2015 10:48 pm

Even grabbing my cert via sftp and importing it doesn't work, it still wants a security exception.

Thrawn wrote:How well do you know security certificates?

Not very well. This is the first time I've dealt with this stuff on the server side.
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7102
Joined: Sat Aug 03, 2013 5:45 pm

Re: Plain HTTP Will Be Deprecated And Killed

Postby barbaz » Mon Jun 01, 2015 11:26 pm

barbaz wrote:(But I'm not completely sure that bug applies to HTTPS. If I replace my existing (default) certificate and set up my server to do HTTPS, I can confirm a security exception for HTTPS connections... only done cursory testing so far though.)

And indeed, more playing with it indicates that HTTPS security exceptions are separate from mail security exceptions - or at least, not affected by the same problem as mail security exceptions. Looks like I will be able to get a self-signed certificate working after all. 8-)
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7102
Joined: Sat Aug 03, 2013 5:45 pm

Re: Plain HTTP Will Be Deprecated And Killed

Postby Thrawn » Tue Jun 02, 2015 11:19 pm

Self-signed certificates can be imported as Certificate Authorities, just like the built-in authorities. In fact, every root authority is self-signed (by definition). In cases where you control the certificate yourself, it's a much better approach than adding exceptions: you don't get certificate warning fatigue, you'll know if it somehow changes, you can use Strict Transport Security, etc.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
User avatar
Thrawn
Senior Member
 
Posts: 3020
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia

Re: Plain HTTP Will Be Deprecated And Killed

Postby barbaz » Wed Jun 03, 2015 12:17 am

Ah, I was trying to import it as a server certificate. Works if I import it as an authority. Thanks :D
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7102
Joined: Sat Aug 03, 2013 5:45 pm

Re: Plain HTTP Will Be Deprecated And Killed

Postby barbaz » Wed Jun 03, 2015 2:51 am

Now this is odd... if I play with my test phpBB 3.0 board over the https connection, it works for a while... but then abruptly borks? And restarting the browser (doing nothing on the server side) gets it back again?
(Plain HTTP seems unaffected.)

Secure Connection Failed

The connection to [MY_SERVER'S_IP] has terminated unexpectedly. Some data may have been transferred.

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Please contact the website owners to inform them of this problem.

Yeah, contacting myself is totally going to get this solved. :lol:

Nothing related in the Error Console.
HTTPFox log (same for any URL on my server, but I could swear the first time this happened, only my local test board was affected):
Code: Select all
XX:XX:XX.XXX   0.082   414   0   GET   (Error)   NS_ERROR_NET_INTERRUPT   https://[MY_SERVER'S_IP]/
XX:XX:XX.XXX   *   263/263   *   GET   *   *   https://[MY_SERVER'S_IP]/favicon.ico


(I have not tried accessing my local phpBB 3.1 test board, but I suspect that would not work either.)

There are a few things I can think to try that I haven't tried yet, but throwing this out there anyway - even if I do find the answer on my own, it might help someone else.
(Wonder if it could even be a bug in VirtualBox 4.3.26 host-only network that I'm using to connect to my server?)
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7102
Joined: Sat Aug 03, 2013 5:45 pm

Re: Plain HTTP Will Be Deprecated And Killed

Postby barbaz » Wed Jun 03, 2015 3:13 am

barbaz wrote:if I play with my test phpBB 3.0 board over the https connection, it works for a while...

Not relevant.
Load a page on the server via HTTPS, wait a while, refresh it... and that's enough to produce that error. Puzzling Image

[EDIT Probably not relevant, but all this is with my certificate imported as an authority, not as a security exception.]
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7102
Joined: Sat Aug 03, 2013 5:45 pm

Next

Return to Web Tech

Who is online

Users browsing this forum: No registered users and 1 guest