Discussion:
It's the end of the web as we know it, and I don't feel fine.
(too old to reply)
superkuh
2020-11-17 17:39:48 UTC
Permalink
HTTPS only comes from a good place. People want privacy from their
governments' pervasive spying. Unfortunately, by going full retard and
not allowing HTTP combined with the centralized nature of cert
authorities, this privacy push has and will result in a situation that
absolutely delights those same central governments. Because now they
will have full control of who can speak and who can not.

https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/


I give it about 3 years before all massive commercial browsers stop
allowing you to visit HTTP sites at all and Firefox only allows if you
use their unstable beta build.

HTTPS only, transport layer security only (for IRC, for SMTP, for HTTP,
etc), will be the end of personal autonomy on the internet. There are
only a handful of cert authories that actually get used as as each of
those get bigger they become more easily corrupted by money and external
government influence. We saw it with dot org. I doubt LetsEncrypt will
be significantly more robust over the same time scales.

HTTPS only is insidious. The very people we've come to trust are working
for our privacy are now working to solidify and centralize a system that
allows for a few big players to decide on whim (or otherwise) who can
speak. And it has to stop.
superkuh
2020-11-17 17:41:36 UTC
Permalink
And no, self-signed certs won't be the solution. Most browsers already
put up giant scaremongering warnings about self-signed certs. It won't
be too long until they're not allowed at all in the big corporate browsers.
rtr
2021-11-26 12:43:11 UTC
Permalink
On Tue, 17 Nov 2020 11:41:36 -0600
Post by superkuh
And no, self-signed certs won't be the solution. Most browsers
already put up giant scaremongering warnings about self-signed certs.
It won't be too long until they're not allowed at all in the big
corporate browsers.
I think this highlights a deeper problem than HTTPS. I think the
development of the web and web browsers have become prohibitive such
that only a few giant entities have the capacity or the resource to
produce a web browser. If only a web browser can be more easily
developed but is still user friendly and doesn't break "normie" sites
then it would be good.

Pinku Basudei
2020-12-03 19:56:33 UTC
Permalink
On Tue, 17 Nov 2020 11:39:48 -0600
Post by superkuh
I give it about 3 years before all massive commercial browsers stop
allowing you to visit HTTP sites at all and Firefox only allows if you
use their unstable beta build.
Their blog says you can turn it off for now but as you say this may change in the future. The tech savvy can probably find a browser that allows http but the average user will just stick with what's comes with their phone.

The happy wild west of 90's web is gone and tech companies that been working hard ever since on centralizing it in the name of safety but it's really about $$$ and who has more cash at their disposal than nation states? Amazon and Alphabet perhaps but other than that not many.
--
/ Pinku
Joe Blow
2020-12-26 21:17:26 UTC
Permalink
Post by superkuh
HTTPS only is insidious. The very people we've come to trust are working
for our privacy are now working to solidify and centralize a system that
allows for a few big players to decide on whim (or otherwise) who can
speak. And it has to stop.
Browsers not using http doen't bother me much. You don't have to use an
up-to-date browser. You don't even have to use a graphical one. Lynx is
100% free of all javascript exploits because it doesn't use Javascript.
My worry comes when the powers that be start forcing ISPs to monitor all
traffic and disallow unapproved traffic e.g. Tor onion services or other
services that are unable to be policed efficiently (usenet, irc).
superkuh
2020-12-28 02:08:28 UTC
Permalink
The problem is that everyone else isn't going to be using a browser that
supports HTTP. So that means when you try to host a webserver from home
you either tether yourself to the whims of a certificate authority and
run HTTPS, go self-signed and have the browsers reject you anyway, or
just not care that the web is splintering into parts and that your
website will only be accessible to a small minority of geeks. I can
understand the last one but I don't want to give up on the web yet.
Regular users need to be able to access HTTP sites.
Post by Joe Blow
Browsers not using http doen't bother me much. You don't have to use an
up-to-date browser. You don't even have to use a graphical one. Lynx is
100% free of all javascript exploits because it doesn't use Javascript.
My worry comes when the powers that be start forcing ISPs to monitor all
traffic and disallow unapproved traffic e.g. Tor onion services or other
services that are unable to be policed efficiently (usenet, irc).
rtr
2021-11-26 12:39:35 UTC
Permalink
On Sun, 27 Dec 2020 20:08:28 -0600
Post by superkuh
The problem is that everyone else isn't going to be using a browser
that supports HTTP. So that means when you try to host a webserver
from home you either tether yourself to the whims of a certificate
authority and run HTTPS, go self-signed and have the browsers reject
you anyway, or just not care that the web is splintering into parts
and that your website will only be accessible to a small minority of
geeks. I can understand the last one but I don't want to give up on
the web yet. Regular users need to be able to access HTTP sites.
Post by Joe Blow
Browsers not using http doen't bother me much. You don't have to
use an up-to-date browser. You don't even have to use a graphical
one. Lynx is 100% free of all javascript exploits because it
doesn't use Javascript. My worry comes when the powers that be
start forcing ISPs to monitor all traffic and disallow unapproved
traffic e.g. Tor onion services or other services that are unable
to be policed efficiently (usenet, irc).
Yes, and by that point you'd rather use a separate protocol rather than
use HTTP since no one's going to see your site anyway.
d***@inanna.eanna.net
2021-08-27 19:34:28 UTC
Permalink
Post by Joe Blow
Post by superkuh
HTTPS only is insidious. The very people we've come to trust are working
for our privacy are now working to solidify and centralize a system that
allows for a few big players to decide on whim (or otherwise) who can
speak. And it has to stop.
Browsers not using http doen't bother me much. You don't have to use an
up-to-date browser. You don't even have to use a graphical one. Lynx is
100% free of all javascript exploits because it doesn't use Javascript.
My worry comes when the powers that be start forcing ISPs to monitor all
traffic and disallow unapproved traffic e.g. Tor onion services or other
services that are unable to be policed efficiently (usenet, irc).
Links2 which includes the graphical xlinks2, as well as Suckless Tools'
Surf, are very good browsers for Lynx fans.

I'm using Firefox 91. In Settings just select -- Don???t enable HTTPS-Only
Mode. No problem.
--
(__) Sourcerer
/(<>)\ O|O|O|O||O||O
\../ |OO|||O|||O|| Cyberpunk's not dead. It's just not
|| OO|||OO||O||O fiction anymore...
superkuh
2020-12-31 22:32:46 UTC
Permalink
As of the latest Firefox release, 84, they have HTTPS Everywhere always
enabled and set in such a way to scaremonger and require user action
before HTTP sites are shown. This is the same way that self-signed certs
were eventually killed in corpoarate browsers.

https://blog.mozilla.org/blog/2020/12/15/our-year-in-review-how-weve-kept-firefox-working-for-you-in-2020/
HTTPS-Only mode ... will also ask for your permission before
connecting to a website if it doesn't support secure connections.

I thought I was being very aggressive in my estimate of 3 years. But it
turns out it might happen even faster than that.
I give it about 3 years before all massive commercial browsers stop
allowing you to visit HTTP sites at all and Firefox only allows if you
use their unstable beta build.
ajxs
2021-02-28 03:08:27 UTC
Permalink
You've raised a really good point about the susceptibility of
certificate authorities to coercion. Don't forget that there's still a
lot of alternative web protocols without such issues that are accessible
through other means: Gemini, Gopher, freenet, .onion, etc.
Firefox and Chrome, despite these organisations becoming increasingly
threatening to online freedom, are still open-source software. Don't
forget that there are forks of these projects designed to support online
freedom, such as GNU IceCat or Brave.
I agree with the overall sentiment that we are heading towards a more
_cyberpunk_ future with regards to how we access information. The future
of decentralised information access might come in more novel forms than
you think.
Post by superkuh
HTTPS only comes from a good place. People want privacy from their
governments' pervasive spying. Unfortunately, by going full retard and
not allowing HTTP combined with the centralized nature of cert
authorities, this privacy push has and will result in a situation that
absolutely delights those same central governments. Because now they
will have full control of who can speak and who can not.
https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/
I give it about 3 years before all massive commercial browsers stop
allowing you to visit HTTP sites at all and Firefox only allows if you
use their unstable beta build.
HTTPS only, transport layer security only (for IRC, for SMTP, for HTTP,
etc), will be the end of personal autonomy on the internet. There are
only a handful of cert authories that actually get used as as each of
those get bigger they become more easily corrupted by money and external
government influence. We saw it with dot org. I doubt LetsEncrypt will
be significantly more robust over the same time scales.
HTTPS only is insidious. The very people we've come to trust are working
for our privacy are now working to solidify and centralize a system that
allows for a few big players to decide on whim (or otherwise) who can
speak. And it has to stop.
rtr
2021-11-26 12:35:21 UTC
Permalink
On Tue, 17 Nov 2020 11:39:48 -0600
Post by superkuh
HTTPS only comes from a good place. People want privacy from their
governments' pervasive spying. Unfortunately, by going full retard
and not allowing HTTP combined with the centralized nature of cert
authorities, this privacy push has and will result in a situation
that absolutely delights those same central governments. Because now
they will have full control of who can speak and who can not.
https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/
I give it about 3 years before all massive commercial browsers stop
allowing you to visit HTTP sites at all and Firefox only allows if
you use their unstable beta build.
HTTPS only, transport layer security only (for IRC, for SMTP, for
HTTP, etc), will be the end of personal autonomy on the internet.
There are only a handful of cert authories that actually get used as
as each of those get bigger they become more easily corrupted by
money and external government influence. We saw it with dot org. I
doubt LetsEncrypt will be significantly more robust over the same
time scales.
HTTPS only is insidious. The very people we've come to trust are
working for our privacy are now working to solidify and centralize a
system that allows for a few big players to decide on whim (or
otherwise) who can speak. And it has to stop.
I never thought of it this way but that makes sense. If HTTPS becomes
mandatory then the ones who can issue certs has the say to who has the
right to exist on the internet. I think it's also worth noting that
there are alternative protocols but it's really something of a moot
point.

It's nice to have alternatives to exist once the web becomes really
uninhabitable but I hope it doesn't get to reach to that point.
Continue reading on narkive:
Loading...