this post was submitted on 03 Oct 2023
657 points (99.0% liked)
Firefox
17301 readers
42 users here now
A place to discuss the news and latest developments on the open-source browser Firefox
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
HTTPS is pretty much ubiquitous these days. It's mostly an issue on a few smaller websites and blogs that people haven't cared enough about to bother getting a cert for... But even that is rapidly going away. Even if a website has HTTPS, it's not entirely uncommon for some resources to be loaded over regular HTTP, and sometimes websites don't properly redirect you to the HTTPS version, making it possible to end up on the unencrypted version by accident.
HTTPS is great, and Let's Encrypt has been such a godsend for it... That said it's not perfect, and also has some limitations on its own, and not every website implements all of the mitigations that help HTTPS do its job, so HTTPS adoption is a bit of a mixed bag. A big issue is that when you try to secure a previously insecure protocol this often makes downgrade attacks possible. For instance, if you just type "lemmy.world" into your web browser, and if somebody is able to intercept those packets, they could just reply "hey, I'm the lemmy.world, I don't do HTTPS, let's talk unencrypted" and your browser would have no idea that it should be talking HTTPS instead of HTTP. One way to avoid this problem is just by explicitly telling your browser to use HTTPS by going to "https://lemmy.world", which tells it to talk over HTTPS, and in that case the man-in-the-middle wouldn't be able to tell you to use HTTP instead and won't be able to provide a valid certificate for lemmy.world (hopefully, anyway :P). This is also what HSTS is used for... It's a header that the webserver sends to your browser saying "only talk to me with HTTPS", so once you've visited a site your browser will remember that it should only use HTTPS with it in the future. This only applies to websites which you've visited before, though... To improve the protections a little bit there's HSTS preload lists (basically your browser can have a list of HTTPS websites baked into it, so it knows when to only use HTTPS before you even do), https://hstspreload.org/... Or we could just solve this problem with DNSSEC and DANE, which allows you to look up the TLS certificates that should be used for the domain in DNS.
That's probably more of a rant than you wanted π ... But basically, HTTPS adoption is really good these days in the sense that most websites will have a TLS certificate available (probably from Let's Encrypt!), and will speak HTTPS. But, there's still areas where we can improve internet security. I'm not sure how the adoption of HSTS is going, but I think it's pretty low. DNSSEC adoption is abysmal and we should probably fix that.
It never used to be, though. The same will happen with ECH/ESNI eventually, especially if browsers push for it like they did with TLS.
Yeah, especially before Let's Encrypt recently it was a complete disaster. Definitely will be better support for ECH soon.
Cloudflare helped quite a bit too, although I wouldn't call that "true" TLS as part of the connection was unencrypted. In the old Cloudflare days before Let's Encrypt existed and before Cloudflare had their self signed origin certs, often the connection between the end user and Cloudflare was encrypted, but the connection from Cloudflare to the origin server wasn't. People were celebrating Cloudflare as a way to easily add TLS to a site, but in the background it was still plain text!
I think all browsers will refuse to load a resource over HTTP if the website is served over HTTPS.
This is not true. Browsers will happily use http even if https is available, and without other mitigations like HSTS or DANE there is no way for your browser to even know that a site supports https. Many websites will forcibly redirect you to https, but this is the server telling you βhey connect with https insteadβ. A man-in-the-middle can simply not tell you to use https. Browsers have started marking http sites as insecure and will warn you about sending passwords, however.
I think I phrased it wrong, or there is a confusion with terms.
If a page is loaded with HTTPS, then images/CSS/JS/iFrames (resources) will not load over HTTP. The resources also have to be served via HTTPS.
If a page is loaded over HTTP, then resources (images/CSS/JS/iFrames) can be loaded over HTTPS.
My objection was to the "even if a server has HTTPS, some resources will still load over HTTP"
As far as I know, this is not strictly true either. I believe most browsers currently block mixed active content like JavaScript or iframes, but will happily load images and such over HTTP (although I would not be surprised if this is changing).