On Monday, April 13, 2015 at 7:57:58 AM UTC-7, Richard Barnes wrote: > In order to encourage web developers to move from HTTP to HTTPS, I would > like to propose establishing a deprecation plan for HTTP without security. > Broadly speaking, this plan would entail limiting new features to secure > contexts, followed by gradually removing legacy features from insecure > contexts. Having an overall program for HTTP deprecation makes a clear > statement to the web community that the time for plaintext is over -- it > tells the world that the new web uses HTTPS, so if you want to use new > things, you need to provide security.
I'd be fully supportive of this if - and only if - at least one of the following is implemented alongside it: * Less scary warnings about self-signed certificates (i.e. treat HTTPS+selfsigned like we do with HTTP now, and treat HTTP like we do with HTTPS+selfsigned now); the fact that self-signed HTTPS is treated as less secure than HTTP is - to put this as politely and gently as possible - a pile of bovine manure * Support for a decentralized (blockchain-based, ala Namecoin?) certificate authority Basically, the current CA system is - again, to put this as gently and politely as possible - fucking broken. Anything that forces the world to rely on it exclusively is not a solution, but is instead just going to make the problem worse. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform