Analysis: Mozilla and HTTPS

Mozilla, makers of the Firefox browser, recent announced plans to cripple Firefox. Starting soon, they plan to make their users jump through hoops to visit sites that use the HTTP protocol. HTTP is the unencrypted version of the protocol used for transferring data from the web server to your browser. Banks and other sites handling money and sensitive information use the encrypted version – HTTPS. So in the near future, if you plan to go to sites that don’t use HTTPS you will get ‘scary’ (their description) warnings popping up all over the place.

Is this a good idea?

No! Definitely not. Much as it might sound like a good thing after all the material flooding the net about government monitoring of material on the web, it will actually make things much worse. This is because secure connections do not exist in isolation. Behind every server using HTTPS is a network of interlocking certificates called a ‘Public Key Infrastructure’ (PKI).

PKI works like this, roughly speaking, and leaving out the gory details. PKI starts with a certificate, which is a long unique number, belonging to the server using HTTPS. That certificate has to be purchased from a recognized authority, known as a Certificate Authority (CA).

When your browser contacts the server, the server tells your browser who issued the certificate, and some of the details. Your browser then contacts the web site of the CA and asks it to verify the certificate and the server. Once that is done, you have verified that the server you are talking to and the browser can set up an exchange of keys to use to encrypt all the traffic between your browser and the server.

So what’s the problem then?

Well there are a number of problems. For a start the CAs are commercial entities, and, understandably, want cold, hard, cash to provide you with a certificate. And the certificates have a limited life time, usually one, two or three years, depending on how much you cough up for them, so you have to keep going back and paying more.

The second problem is that since the purpose of the certificate is to allow the CAs to confirm that you are really are who you say you are (i.e. how do you know your browser is really talking to your bank?), they want lots of details from you before they issue a certificate. Too bad if you live in a country with a repressive regime.

There aren’t very many CAs around, because of what’s involved, and also because to be an effective CA you have to persuade the browser makers to ship their browsers with the details of how to log securely onto the CA’s site in order to verify certificates they’ve issued! In Chrome you can look at the CA’s credentials by going to Settings|Show advanced settings|HTTPS/SSL. Click the ‘Manage certificates...’ button, and then click on the ‘Trusted Root Certification Authorities’. I suggest you stop at that point, unless you really know what you are doing – in which case you don’t need to read this article! My browser has certificates from less than two dozen root authorities. That’s not very many considering the billions of servers there are out there connected to the internet. This gives governments just a handful of organizations to put the screws on when they want information. That makes the server certificate a single point of failure.

Finally, there is the question of installing a certificate on your server. I think that putting this certificate in place is the most complex thing I’ve ever done on a computer – and that includes writing the 70,000 lines of code that make up my Federation multi-player game. I’ve included a URL to ArsTechnica’s explanation of how to do it, so you can see for yourself what’s involved. Oh! And by the way, installing the first certificate is the easy bit – installing a replacement certificate when the original one expires is even more of a pain! Would you like to do it, just so you can post your blog, cat pictures, etc?

Finally, the truth is that many sites don’t need HTTPS. What’s so secret about what’s on Wikipedia, for instance? Or take our own ibgames.com site – all it contains is manuals, news and a couple of pieces of open source software. You can go and get the source for those from BitBucket if you want. Basically it comes down to who is going to be able, and eventually perhaps even allowed, to publish on the internet. At the moment it’s anyone. In the future, if the likes of Mozilla succeed, it could be just the people that the government, or some commercial entity permits.

How long will it be before Mozilla succeeds in turning the open internet into a broadcast media service like the movies, radio and television used to be in the last century?
http://phys.org/news/2015-05-mozilla-https-web.html
https://medium.com/@b_k/https-the-end-of-an-era-c106acded474
http://www.infoworld.com/article/2917575/encryption/mozillas-firefox-https-or-bust.html
http://lauren.vortex.com/archive/001099.html
https://plus.google.com/+LaurenWeinstein/posts/N5c2RiTSBPf
http://arstechnica.com/security/2009/12/how-to-get-set-with-a-secure-sertificate-for-free/

Alan Lenton
17 May, 2015