Conversation

Notices

1. The Register (register@social.undernet.uy)'s status on Wednesday, 08-Mar-2017 05:19:55 UTC The Register
   Firefox 52 kills plugins - except Flash - and runs up a red flag for HTTP #theregister #news http://go.theregister.com/feed/www.theregister.co.uk/2017/03/08/firefox_52/
   • Stephen Michael Kellat repeated this.
   • nds (nds@dent.smithfam.info)'s status on Wednesday, 08-Mar-2017 14:38:58 UTC nds

     in reply to

     • Stephen Michael Kellat
     @alpacaherder I am still of the opinion that flagging http as "not secure" is wrong-headed, as many web sites have no reasonable requirement for encryption.
     Stephen Michael Kellat repeated this.
   • Windigo ☴ (windigo@micro.fragdev.com)'s status on Wednesday, 08-Mar-2017 15:37:04 UTC Windigo ☴

     in reply to

     • Temp Fix
     • nds
     • Stephen Michael Kellat
     @nds @alpacaherder I'm not sure - with some of the fancy MitM stuff going on with ISPs and other networks, I might agree with Mozilla. !tempfix
     Stephen Michael Kellat repeated this.
   • MMN-o ✅⃠ (mmn@social.umeahackerspace.se)'s status on Wednesday, 08-Mar-2017 23:39:13 UTC MMN-o ✅⃠

     in reply to

     • Windigo ☴
     • nds
     • Stephen Michael Kellat
     @nds @alpacaherder Anyone with a site that uses HTTP only and serves a website to a client with javascript enabled is serving potentially hazardous content (as any javascript - tracking, spying, exploiting - can be injected by any machine in the middle).
     Stephen Michael Kellat likes this.
     Stephen Michael Kellat repeated this.
   • LinuxWalt (@lnxw48a1) {3EB165E0-5BB1-45D2-9E7D-93B31821F864} (lnxw48a1@nu.federati.net)'s status on Thursday, 09-Mar-2017 02:33:14 UTC LinuxWalt (@lnxw48a1) {3EB165E0-5BB1-45D2-9E7D-93B31821F864}

     in reply to

     • MMN-o ✅⃠
     • Windigo ☴
     • nds
     • Stephen Michael Kellat
     @windigo @nds @alpacaherder @mmn As long as the CA system remains the same (ignoring cert pinning, since most sites do not use it), MITM is just as possible. It just requires any one of the hundreds of browser-known cert authorities to issue it, intentionally or otherwise.
     
     Encryption is good. But the authentication piece is broken beyond repair, and we do our users no service by not informing them of this brokenness.
     Stephen Michael Kellat repeated this.
   • MMN-o ✅⃠ (mmn@social.umeahackerspace.se)'s status on Thursday, 09-Mar-2017 09:13:18 UTC MMN-o ✅⃠

     in reply to

     • LinuxWalt (@lnxw48a1) {3EB165E0-5BB1-45D2-9E7D-93B31821F864}
     I agree, but it cuts down the attack vector from anyone to only some, if you switch sites from HTTP to HTTPS.
     
     A better choice would be however if browsers disabled javascript on unencrypted endpoints.