Linked by Thom Holwerda on Tue 27th Sep 2011 19:45 UTC, submitted by lemur2
Mozilla & Gecko clones Mozilla has released Firefox 7. Unlike releases of Firefox 5 and Firefox 6 which were relatively minor upgrades to the browser, Firefox 7 includes a number of significant improvements, most important of which is probably the drastically reduced memory usage.
Thread beginning with comment 491022
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: http:// is gone
by Lennie on Wed 28th Sep 2011 11:53 UTC in reply to "RE: http:// is gone"
Lennie
Member since:
2007-09-22

If it wasn't for all the CA and SSL/TLS protocol problems I would say: everything should be on https://

Reply Parent Score: 2

RE[3]: http:// is gone
by Alfman on Wed 28th Sep 2011 21:36 in reply to "RE[2]: http:// is gone"
Alfman Member since:
2011-01-28

Lennie,


"If it wasn't for all the CA and SSL/TLS protocol problems I would say: everything should be on https://"

Yea, the web should probably default to a low grade encryption, which is extremely fast but deters casual snooping, censorship firewalls, and Phorm-like ISP monitoring.


However, there is one major technical obstacle with SSL that would make this impossible today. HTTPS is not compatible with shared hosting. There are proposed solutions, but they are hacks which leak information and are not supported by today's browsers.


Standard SSL is IP/port based and is not aware of the underlying HTTP protocol, which leads to a chicken/egg problem. HTTPS needs to transfer the certificate before knowing which which domain the client is trying to reach. Therefor, as is, all HTTPS websites would need dedicated IP addresses.

This is a stupid limitation, however I suspect it's due to the fact that SSL was invented a year or so before HTTP/1.1, and all websites needed a dedicated IP address anyways.


The internet is shrouded in legacy designs which dictate how things must be engineered today to work around them. I do wonder if we'll ever get the opportunity to make a clean break?

Reply Parent Score: 2

RE[4]: http:// is gone
by Lennie on Thu 29th Sep 2011 08:09 in reply to "RE[3]: http:// is gone"
Lennie Member since:
2007-09-22

Low grade encryption ? I don't think I've ever seen anyone think that is a good idea. Most people think that just gives a false sense of security.

Could you explain what is wrong with Server Name Indication (SNI) for HTTPS ? Do you think it is wrong to send the website name in the clear ?

If 1 IP-address == 1 HTTPS website then the website people are visiting is easily identified anyway.

It is supported by all clients except for: IE and Safari on Windows XP and the Android developers messed up and didn't add it to Android 2.

Everything else (clients and servers) already supports it for a couple of years. And yes it will take an other few years before Windows XP is dead, but by that time Android 2 is also dead.

Could be IPv6 is widely deployed by then and IPv6-addresses for servers shouldn't be so hard to find. ;-)

Reply Parent Score: 2

RE[4]: http:// is gone
by Lennie on Thu 29th Sep 2011 09:19 in reply to "RE[3]: http:// is gone"
Lennie Member since:
2007-09-22

If you want fast encryption everywhere. Chrome-developers seem to be very much interrested in that.

They created SPDY, which is faster than regular HTTP for 98%+ (or something) of the webpages: http://www.chromium.org/spdy

The problem is, it needs a server change. And currently only one browser supports it. Some might still consider it beta.

It seems Amazon might be using SPDY for Amazon Silk: http://aws.amazon.com/amazonsilk-jobs/

Google also tried many ways to mean SSL/TLS faster, but so far only one they found was compatible and helped enough, FalseStart:

http://blog.chromium.org/2011/05/ssl-falsestart-performance-results...

An other way to speed up delivery of secure content is, a Microsoft research project:
http://research.microsoft.com/apps/pubs/default.aspx?id=148963

Which allows for mixing of HTTPS and HTTP.

Where HTTP is used to download images/JavaScript/StyleSheets from a Content Delivery Network (CDN) but the those parts are signed with the same certificate as is used by the website which uses HTTPS.

Microsoft research paper uses the mechanism from Mozilla https://wiki.mozilla.org/Security/CSP to signal which sites are allowed to be loaded from HTTP and should be signed by the main site.

Reply Parent Score: 2