Sophos Cloud Optix
Two years after promising to report all HTTP-based web pages as insecure, Mozilla is about to deliver. Soon, whenever you visit one of the shrinking number of sites that doesn’t use a security certificate, the Firefox browser will warn you.
Firefox developer Johann Hofmann announced the news this week:
In desktop Firefox 70, we intend to show an icon in the “identity block” (the left hand side of the URL bar which is used to display security / privacy information) that marks all sites served over HTTP (as well as FTP and certificate errors) as insecure.
Firefox 70 will ship in October. The change is an attempt to crack down on sites that don’t secure their communications.
Insecure browsers use the hypertext transfer protocol (HTTP), which sends data in clear text. HTTPS sites are more secure because they use Transport Layer Security (TLS), which establishes an encrypted link between the browser and the Web server before any HTTP requests are sent.
Hofmann explained that this was part of a broader initiative to simplify the security user-interface in Firefox 70.
Firefox began showing the ‘insecure’ icon in January 2017 but limited it to HTTP pages that collected passwords with login forms. It said at the time that it would expand the initiative to cover all HTTP pages.
Deciding to pull the trigger now is a clear statement that Mozilla believes HTTPS has become the norm. Hofmann cited Firefox’s own telemetry data, which shows that almost 80% of pages loaded in Firefox are HTTPs-based.
Other companies have been more aggressive in their attempt to stamp out HTTP. Google has gradually cracked down on sites not using TLS. In 2015, it began rewarding HTTPS websites with better search rankings. Then, in 2017, it began labelling transactional non-HTTPS sites as ‘Not Secure’, expanding this scheme last year to label any non-HTTPS site the same way. Then, when it released Chrome 69 in September 2018, it removed the ‘secure’ label from HTTPS sites, signalling that they were now mainstream as far as Google was concerned.
Our tests showed that as of this week, Safari marks non-HTTPS pages as insecure, but the Edge browser doesn’t, instead opting only to show HTTPS sites as secure.
TLS protects your HTTP traffic from eavesdropping and manipulation as it moves over a network, between you and the site you’re using. It doesn’t say anything about the security or legitimacy of the site itself though.
Unfortunately, the padlock symbol that your browser displays when you’re using HTTPS can fool users into thinking it does. Many assume (not least because security professionals spent years telling them to) that the padlock means the website they’re looking at must be the real thing, rather than a fake.
the FBI recently warned that phishing sites are preying on this misunderstanding and using TLS to appear more legitimate to victims.
Cheers. But we all know that we’ll be talking about this again in October 🙁
https without encrypting your DNS is pointless – it only works with forms or any dynamically provided content. All ISP’s will log your internet traffic DNS requests and if they wish to view the (encrypted) content then all they have to do is look up the IP address you visited regardless of whether it is encrypted or not. What’s the point of that? All that it does is prevent content from being snooped upon in transit, but it certainly won’t stop your ISP or even, for goodness sakes, the Food Standards Agency from viewing your online usage. Why is it acceptable for security to only be secure from certain individuals and not others? Surely “secure” means “secure”? DNS over https should also be mandatory or even better still DNScrypt for all DNS requests regardless of which application is in use. Then there’s cipher strength – shock horror, not all ciphers are strong but all of them will indicate that they are encrypted. I mean I “lock” my door using sticky tape and bubble gum or I could use a decent quality lock – both could be considered to be “locked”.
HTTPS with plaintext DNS isn’t *pointless*, because DNS requests only reveal the domain name part of any website you visit, which is frequently something innocent and utterly generic, such as WIKIPEDIA DOT COM or BBC DOT CO DOT UK.
HTTPS also makes DNS hijacking quite a lot harder – if crooks redirect a DNS request to a fake site, they have to produce a valid HTTPS certificate for that site’s name, too, which is not a trivial exercise if it’s a domain already owned and operated by someone else.
And, assuming you do get to the right site, which you will most of the time, HTTPS stops anyone else in the coffeshop from modifying the content on the way back to feed you bogus data (or from sniffing out exactly what you view).
So although I agree with you about the leakiness and inherent danger of unencrypted DNS, I would stop short of saying HTTPS without secure DNS is pointless, because that kind of implies that if you don’t have secure DNS available, you might as well use HTTP instead. DNS logging by ISPs only tells a small part of the story, and HTTPS protects a lot of the rest of that story.
Driving without a seatbelt is pretty darn stupid – you’d have to be dangerously ill-informed to do so out of choice – but if you don’t or can’t wear one, please don’t turn your airbag off as well :-)
The problem, as you well know Paul, is the meta data from DNS is often all that is required in order to ascertain what people are doing online which can be abused quite easily. Merely claiming that HTTPS without secure DNS is acceptable is not sufficient to protect peoples privacy. I would challenge you to use Wireshark to sniff all your unencrypted DNS entries for one day and then go about your usual business online. How much of that meta data could be used to reconstruct and infer what you were doing? Try getting an office colleague to see how much they can guess. Then ask yourself how that data could be abused if it was sold to the wrong people. Don’t ISP’s sell your DNS meta data already? Could I accurately reconstruct your life without the need to break the HTTPS encryption?
No one is “merely claiming that HTTPS without secure DNS is acceptable”… but for all that a record of all your DNS traffic for one day gives away quite a lot about you, it doesn’t actually give any sort of detail at all. OTOH, a record of all your HTTP traffic for one day wouldn’t pretty much expose *everything* (as well as putting you at risk of fake news, booby-trapped downloads and stolen passwords pretty much all the time).
My comment still stands: calling HTTPS without secure DNS “pointless” is overstating your case, and even runs the risk of misleading people into thinking that, if they can’t be bothered to set up secure DNS, they might as well not bother about HTTPS either. I think that is a needlessly extreme point of view.