This is a sad state of affairs for non-commercial hobby projects.
First, they remove “http://” from the address bar, so that noone who has any clue about anything could make any sense of what’s going on.
Now they’re suggest that noone has any idea of what’s going on (duh, after you’ve just removed the indication that always worked!), and more warnings must be given.
Meanwhile, they do cite RFC 7258: Pervasive Monitoring Is an Attack, yet this proposal appears to be in direction contradiction of automatic passive encryption – why don’t they instead add ability to do something like STARTTLS to http? Giving huge and loud warnings for self-signed https and making it worse than http is not enough as is?
But self-signed HTTPS is worse than unencrypted HTTP.
Self-signed HTTPS is less than insecure; it’s offers no additional security and adds the complexity of pulling in the crypto stack.
I too wish Trust On First Use was working security model. But, it isn’t! SSH is an excellent example. As the quote goes, “every time there’s an error in the ssh key generation, the user is asked, ‘please type yes to trusting this new key’, or, ‘please go into your known hosts file and delete that value’, and every last time they do it, because it’s always the fault of a server misconfiguration. The SSH model is cool, it don’t scale.” Perspectives tried to push this model. I guess we’ll see where Certificate Transparency goes too.
Here’s to a future where certs are fiscally cheap but expensive enough to disuade bot-nets / evil people. (like e-mail addresses are now.)
Pretty much all browsers actually implement trust in first use (or key continuity). They just wrap it up in the worst UI possible, full of “you’re under attack!” dialog boxes.
I think it’s worse than that. The user interface of both Firefox and Chrome leads me to believe that when you say “Confirm Security Exception” or the equivalent, you’re adding some random CA as a trusted CA, which means it can spoof any other domain thereafter. Maybe you’re saying that that isn’t true?
Like I said, the UI is terrible. :)
You are adding an exception for that one cert for that one site.
The dialog for adding a new CA cert that is trusted for all sites looks a little different. Click here to see that.
It would be nice to at least have this as a (about:config, flags, etc) configurable option. For example, in my Tor-based browser, I would very much like “http://” to show up in bright red. My traditionally-routed browser, less so.
Chromium security-dev discussion and one more on UI (sorry, both Google Groups links)
Firefox recently passed on this (more discussion).
Sorry, I don’t think all web traffic should be HTTPS. The real world equivalent of that would be putting a black mask on before you leave your house, on the off chance that someone might see you go to the library.
Maybe the web isn’t the right platform for shared computing? What if we just used the web as it was designed to be used?