From: NANOG <nanog-bounces@nanog.org> on behalf of Keith Medcalf <kmedcalf@dessus.com> Sent: Saturday, May 4, 2019 3:14:53 AM To: NANOG list Cc: Constantine A. Murenin Subject: [EXT] RE: Widespread Firefox issues HTTPS: has nothing to do with the website being "secure". https: means that transport layer security (encryption) is in effect. https: is a PRIVACY measure, not a SECURITY measure. --- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
-----Original Message----- From: NANOG [ mailto:nanog-bounces@nanog.org] On Behalf Of Constantine A. Murenin Sent: Friday, 3 May, 2019 21:02 To: Brielle Bruns Cc: NANOG list Subject: Re: Widespread Firefox issues
On Fri, 3 May 2019 at 20:57, Brielle Bruns <bruns@2mbit.com> wrote:
Just an FYI since this is bound to impact users:
https://bugzilla.mozilla.org/show_bug.cgi?id=1548973
Basically, Mozilla forgot to renew an intermediate cert, and people's Firefox browsers have mass-disabled addons.
Whoops.
This is why it's important that every single website on the internet is available ONLY over HTTPS. Don't forget to install an HSTS policy, too, so, if anyone ever visits Kazakhstan or a security- conscious corporate office, they'll be prevented from accessing the cute pictures of cats on your fully static website. Of course, don't forget to abandon HTTP, too, and simply issue 301 Moved Permanently redirects from all HTTP targets to HTTPS, to cover all the bases.
Backwards compatibility? Don't you worry — no browser lets anyone remove HSTS, once installed, so, you're golden. And HTTPS links won't fallback to HTTP, either, so, you're good there, too — your cute cats are safe and secure, and once folks link to your new site under https://, your future self will be safe and secure from ever having the option to go insecure again. I mean, why would anyone go "insecure"? Especially now with LetsEncrypt?
Oh, wait…
Wait a moment, and who's the biggest player behind the HTTPS-only movement? Oh, and Mozilla's one of the biggest backers of LetsEncrypt, too? I see… Well, nothing to see here, move along! #TooBigToFail.
C.
I may be wrong and if so, I am happy to be corrected, but I don't think that statement is entirely true. The certificate not only encrypts the connection, it also verifies that you are connecting to the server you intend to. That second component is a security measure. Charles Bronson