this post was submitted on 03 Oct 2023
528 points (98.9% liked)

Firefox

17907 readers
37 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] TiffyBelle@feddit.uk 81 points 1 year ago (3 children)

All well and good, but sadly this relies on the hosts managing DNS to include specific entries in their DNS configuration for keys to use during the encryption process. Unfortunately the vast majority of hosts probably won't be bothered to do this, similar to DNSSEC.

[–] LastYearsPumpkin@feddit.ch 108 points 1 year ago (3 children)

And HTTPS relies on hosts managing SSL certificates. Web services don't use them until it hits a critical mass, then it becomes weird and broken when you aren't using it.

This just needs some time to settle in.

[–] DarkThoughts@kbin.social 61 points 1 year ago (3 children)

I remember when absolutely no one used https and then in a matter of a couple years things got really fast. Now you can easily browse with https required and only occasionally find the odd website that doesn't use it (mostly some internet relic). That was such a great transition when it happened though.

[–] FriendlyBeagleDog@lemmy.blahaj.zone 34 points 1 year ago* (last edited 1 year ago) (1 children)

It felt like it happened practically overnight when Let's Encrypt released.

[–] Chobbes@lemmy.world 28 points 1 year ago (1 children)

Let's Encrypt was a godsend. Getting a TLS certificate before sucked.

[–] kautau@lemmy.world 20 points 1 year ago (1 children)

Yes. Thank these folks:

Mozilla employees Josh Aas and Eric Rescorla, together with Peter Eckersley at the Electronic Frontier Foundation and J. Alex Halderman at the University of Michigan. Internet Security Research Group, the company behind Let's Encrypt, was incorporated in May 2013.

They created the ACME standard, the open source community got on board, and soon enough everyone bought in, a massive step forward for Internet security and the benefit of open source.

[–] jazir5@lemmy.ml 11 points 1 year ago

So Firefox is basically the GOAT when it comes to internet security and privacy? They should team up with the signal guys.

[–] Rade0nfighter@lemmy.world 22 points 1 year ago (1 children)

Google preferring https sites was the motivator I saw for client demands.

SEO scores feed into the PPC cost in AdWords so all of a sudden people were crying out for their sites to “have the padlock icon” because what’s 20 bucks for a cert when you’re spending thousands of dollars a month

[–] jazir5@lemmy.ml 5 points 1 year ago

And now it's free with stuff like Let's Encrypt.

[–] dependencyInjection@sh.itjust.works 10 points 1 year ago* (last edited 1 year ago) (2 children)

Even with tools like Let’s Encrypt, people are still not ~~implanting~~ implementing HTTPS?

[–] Chobbes@lemmy.world 9 points 1 year ago (2 children)

HTTPS is pretty much ubiquitous these days. It's mostly an issue on a few smaller websites and blogs that people haven't cared enough about to bother getting a cert for... But even that is rapidly going away. Even if a website has HTTPS, it's not entirely uncommon for some resources to be loaded over regular HTTP, and sometimes websites don't properly redirect you to the HTTPS version, making it possible to end up on the unencrypted version by accident.

HTTPS is great, and Let's Encrypt has been such a godsend for it... That said it's not perfect, and also has some limitations on its own, and not every website implements all of the mitigations that help HTTPS do its job, so HTTPS adoption is a bit of a mixed bag. A big issue is that when you try to secure a previously insecure protocol this often makes downgrade attacks possible. For instance, if you just type "lemmy.world" into your web browser, and if somebody is able to intercept those packets, they could just reply "hey, I'm the lemmy.world, I don't do HTTPS, let's talk unencrypted" and your browser would have no idea that it should be talking HTTPS instead of HTTP. One way to avoid this problem is just by explicitly telling your browser to use HTTPS by going to "https://lemmy.world", which tells it to talk over HTTPS, and in that case the man-in-the-middle wouldn't be able to tell you to use HTTP instead and won't be able to provide a valid certificate for lemmy.world (hopefully, anyway :P). This is also what HSTS is used for... It's a header that the webserver sends to your browser saying "only talk to me with HTTPS", so once you've visited a site your browser will remember that it should only use HTTPS with it in the future. This only applies to websites which you've visited before, though... To improve the protections a little bit there's HSTS preload lists (basically your browser can have a list of HTTPS websites baked into it, so it knows when to only use HTTPS before you even do), https://hstspreload.org/... Or we could just solve this problem with DNSSEC and DANE, which allows you to look up the TLS certificates that should be used for the domain in DNS.

That's probably more of a rant than you wanted 😅... But basically, HTTPS adoption is really good these days in the sense that most websites will have a TLS certificate available (probably from Let's Encrypt!), and will speak HTTPS. But, there's still areas where we can improve internet security. I'm not sure how the adoption of HSTS is going, but I think it's pretty low. DNSSEC adoption is abysmal and we should probably fix that.

[–] dan@upvote.au 4 points 1 year ago (1 children)

HTTPS is pretty much ubiquitous these days.

It never used to be, though. The same will happen with ECH/ESNI eventually, especially if browsers push for it like they did with TLS.

[–] Chobbes@lemmy.world 3 points 1 year ago (1 children)

Yeah, especially before Let's Encrypt recently it was a complete disaster. Definitely will be better support for ECH soon.

[–] dan@upvote.au 2 points 1 year ago

Cloudflare helped quite a bit too, although I wouldn't call that "true" TLS as part of the connection was unencrypted. In the old Cloudflare days before Let's Encrypt existed and before Cloudflare had their self signed origin certs, often the connection between the end user and Cloudflare was encrypted, but the connection from Cloudflare to the origin server wasn't. People were celebrating Cloudflare as a way to easily add TLS to a site, but in the background it was still plain text!

[–] towerful@programming.dev 1 points 1 year ago

Even if a website has HTTPS, it's not entirely uncommon for some resources to be loaded over regular HTTP

I think all browsers will refuse to load a resource over HTTP if the website is served over HTTPS.

[–] 4am@lemm.ee 5 points 1 year ago

The only place (other than old unmaintained sites) I’ve seen no TLS has been promotional sites for video games. Possibly something hastily thrown together?

[–] TiffyBelle@feddit.uk 5 points 1 year ago

You're right, but HTTPS implementation added real, tangible benefits that everyone could understand. I think ECH is a little more abstract for the average user, which is why I compared it to DNSSEC which has notoriously poor buy-in.

Obviously I hope ECH becomes a well-implemented standard. I'm just rather cynical that it'll be the case.

[–] Gestrid@lemmy.ca 8 points 1 year ago (1 children)

Apparently, Cloudflare already supports ECH, and a not-insignificant number of websites use them.

[–] Amends1782@lemmy.ca -3 points 1 year ago (1 children)

Unfortunately though, is that it's cloudflare

[–] Franzia@lemmy.blahaj.zone 2 points 1 year ago (2 children)

Can you give me more insight as to why you don't like cloudflare? I'm barely informed about this.

[–] sloppy_diffuser@sh.itjust.works 3 points 1 year ago* (last edited 1 year ago)

They created ECH. It makes what hosts you are visiting exclusive to them and browser companies when in use. You get marginal privacy through less companies being able to harvest your data.

Its marginal because that data is probably sold anyways.

That said, less competitors with the same data drives up the value when it does get sold which benefits, you guessed it, the author which is Cloudflare.

[–] pazukaza@lemmy.ml 1 points 1 year ago (1 children)

Wouldn't it be better if reverse proxies simply had a "default key" meant to encrypt the SNI after an unencrypted "hello" is received?

Including DNS in this seems weird.

[–] p1mrx@sh.itjust.works 1 points 1 year ago

What would stop a MITM attacker from replacing the key? The server can't sign the key if it doesn't know which domain the client is trusting.