The ability to MITM only requires blocking port 443 and letting the browser fall back to 80 this works even against HSTS because most people will just try other URLs until one works. This way you have the best of both worlds and the user (and server) get choice/agency. The idea was to allow http if needed, and alternately allow strict https if needed, in a backwards compatible way (visiting a url would work as before, but visiting secure:// would trigger the strict security for the rest of the session). If you visit a secure:// link, every single page load in the session would require strong encryption, secure cookies, etc. Some Americans already decided this was a solved problem and that this could never happen.Ī long time ago I suggested a new uri prefix - "secure://" - that would be a synonym for "HTTPS-only". Sooner or later there will be an event where a government compromises a CA. Great.Īll this does is train people to not care about security and to just trust us to do the right thing because they are too stupid to get it. It just means that said tech giant gets exclusive access to that data. HTTPS does nothing for privacy when it's the same tech giant on the other end that is collecting all the data. Who am I trusting exactly? That I've successfully connected to some load balancer that is operated by ""? What's the use in that? Am I supposed to trust them more than some man-in-the-middle just because they own a domain name?īut maybe it's for privacy? If you want privacy you use tor. How can I possibly trust every single website I visit? It means nothing to connect to a news website, say, and see the "green padlock". I saw people reinventing tables using divs and CSS to display tabular data. I remember seeing this in the mid-2000s when HTML tables were shunned in favour of "divs". The solution then becomes popular and a singular goal of uncreative people who deploy said solution everywhere and push it to its logical extreme. A problem exists and creative people develop an innovative solution to said problem. There's a phenomenon I observe quite regularly in tech. In the community or content sense? Not so sure. At the end of the day, the core issue is: migrating users is difficult if the benefits are not immediately obvious.Īnd yes, massively adopting anything else would litterally "kill the old web", in the protocol sense. Of course, point-to-point connections have their weaknesses as well, it might be interesting to migrate to something like beaker browser (html on top of hypercore, formerly DAT, kind of like mutable torrents in a DHT).
One option would be to make signed DNS records over a DHT: the root authority "." signs "com", "net", etc, that sign "ycombinator", etc. It's not like DNS is also our single source of trust nowadays, but at least certificate providers are competent enough to make sure names are resolved correctly. Asking users to type IP addresses isn't really an answer, I think, but I don't know if there's a lot of "basic" users who type URLs in nowadays, they all seem to rely on google providing the right website anyway, or the web browser itself.
Firefox insecure connection bypass how to#
How to securely link to websites you have never seen? Pet names seem like a way to do so. However, the DNS part remains a hard one. * Every packet is authenticated, every packet can be encrypted
* Anyone can generate a new one on-demand It would be much more interesting to replace IP, like Yggdrasil does (and I think gnunet, cjdns, hyperboria & others).
not because of the feature, but instead, if I enable it, I'll be cut off from legacy sites by a wall of forever "Do you want to really do this?" with likely 10 clicks of 'yes' and 'ok' and 'i understand', combined with never storing this as a default. My point is, this is going to be annoying. However, the idea that "Firefox knows best" is the sort of asinine behaviour that causes big tech issues all the time. I have zero issues with safer defaults, prompting when required. Yet, do you think I can tell my browser "never ever prompt for this again"? Nope. Why would I spent 10 seconds setting such things up? They're locked behind a firewall, (a secondary firewall), have no direct network access, and can't even be reached without port forwarding via SSH. Going through multiple prompts, each and every time someone wants to do what they want, is problematic. The real and true bothersome part, is that Firefox (and others) do not seem to allow permanent exceptions.