On the Mozilla Dev-Platform Newsgroup, hosted at Google Groups, a proposal to deprecate insecure HTTP is being discussed. The idea is that HTTPS needs to be adopted and organizations will not do it without being pushed. The plan is to get browser vendors to refuse activating new features, and eventually disable old features, unless the site is loaded as a “privileged context”.
This has sparked a debate, which was the whole point of course, about how secure do we want the Web to be. What features should we retroactively disable unless it is done through HTTPS? Things that access your webcam and microphone? Things that write to your hard drive? Then there is the question of how to handle self-signed certificates to get encryption without verification, and so forth.
Note: Websites cannot access or create files on your hard drive, but standards like localStorage and IndexedDB allow websites to have their own spaces for persistence. This is to allow, for instance, a 3D game to cache textures (and so forth) so you don't need to download them every time.
Personally, this concerns me greatly. I started helping Mozilla a couple of years ago, a few weeks after I saw Microsoft's Windows 8 developer certification program. I do not like the thought of someone being able to stifle creation and expression, and the web was looking like it might be the last bastion of unrestricted development for the general public.
In the original Windows Store requirements, no browser could exist unless it was a skin of Trident. This meant that, if a site didn't work in Internet Explorer, it didn't exist. If you didn't want to play by their rules? Your app didn't get signed and your developer certificate could even be revoked by Microsoft, or someone with authority over them. You could imagine the problems a LGBT-focused developer might have in certain countries, even if Microsoft likes their creations.
This is obviously not as bad as that. In the Windows Store case, there was one authority whereas HTTPS can be authenticated by numerous providers. Also, if self-signed certificates are deemed “secure enough”, it would likely avoid the problem. You would not need to ask one of a list of authorities permission to exist; you could secure the connection yourself. Of course, that is a barrier of skill for many, and that is its own concern.
So we'll see, but I hope that Mozilla will take these concerns as a top priority in their decisions.
That would be a big mistake.
That would be a big mistake. I have lost count on how many times I have disabled HTTPS Everywhere from EFF in Firefox simply because some websites do not function properly. This includes Dell Canada and others.
Your example highlights a
Your example highlights a problem, but on the other hand, why doesn’t Dell make their Canadian website conform to HTTPS? They have no legitimate reason not to. Making sure their customers are connecting to a legit Dell site and not some spoof site is good for Dell as well as their customers.
How about a browser that
How about a browser that allows the user to switch off all the unnecessary mouse events that are there to allow annoying ads to disrupt the entire flow of the webpage. I’m getting tired of ads pushing out video content that turns my web viewing experience in to an exercise in futility. How about a browser setting that only allows one extra instance of adobe’s flash player to run in a webpage in addition to the part that is playing the video content that was the reason to visit the webpage in the first place. Hell, I have a laptop with a quad core i7, and still the flash ads bring the video I’m watching to a standstill, or otherwise degrade the frame count, or totally crash the webpage. It appears that most of the innovation in HTML and web standards is going towards enabling too much control over the users web page viewing experience, with all manner of intrusive mouse event trapping/handling turning web pages in to shoots and ladders types of experiences, with all sorts of pitfalls and traps ready to spring up and flash more annoying ad content in the viewers face.
Most of the time the damn ads continue to play even though they are scrolled by and are completely hidden from view, what a waste of computing resources, and its degrading the web experience on many websites. The ad industry has so taken over the web that in a few years the whole process is going to become gridlocked. Web browsers need the ability to allow the user to limit the resources made available to the ad content pushers, and prioritize the content that the user wants over the ad content. It’s no wonder the ad blocking market is so strong, there is very little user choice, or settings to allow the user any control over the resources that the browser handles. There should be settings that allow the user to force video ad content to be switched to single image, or reduced image content for ads, so the user does not experience performance degradation.
Some web pages are so full of flash ads pushing the same advertisement in three or more places on some websites that it’s becoming impossible to even smoothly scroll down the page to read the text, I’m constantly getting degraded performance and really this is not going to convince me to ever purchase an advisors product. I guess it’s time for people to begin to complain to the sponsors of the ads by not buying their product, and letting the sponsors know that their ad partners annoying practices is costing the sponsors sales.
Certainly the web standards should include HTTPS as the standard, with no built in man in the middle shenanigans to allow the ad pushers and metrics gathers to circumvent the data encryption. And all web browsers are going to have to come with built in ad blocking/whitelisting, and resource metering to only allow the proper ad behavior, and filter out the violators. The user should be in total control of how much of their system’s resources should be allotted to any ads that may be hogging to much processor/memory/disk resources, and that especially includes the ability to limit the amount of video based ad windows that are allowed to run on a single web page instance or tab.
For Firefox, if you go under
For Firefox, if you go under Tools -> add-ons -> plugins, you can set Flash to be deactivated by default. I thought this was the default now? Unfortunately, this seems to activate Flash for the entire page. I have switched back and forth between Chrome and Firefox because they almost always seem to have some annoying problem.
I am using Firefox now because Chrome was having issues with smooth scrolling on my OS and I like the Firefox setting that does not load tabs on start-up unless you switch to that tab. This allows me to leave a large number of tabs up without overloading the machine or internet connection. If Chrome added this, I would probably go back to it. If I try to start Chrome with a large number of tabs, it tries to load and run them all at once.
When I used chrome, I was using click to activate for Flash; I believe this actually did individual flash instances, rather than enabling or disabling for the entire page as Firefox does. Some pages would not work right with this though. Firefox has the NoScript extension, but it can be difficult to get some pages to work properly with this. It allows disabling scripts by domain though.
Most of the stuff that annoys people is done via scripts, so disabling scripts makes most of these go away, but a lot of sites will not function at all anymore without some scripts enabled. The more web sites annoy users, the more users will find a way to block such things. If you run Chrome, you can tell which pages are resource hogs because it creates separate processes. I have sometimes just gone through and killed most of the Chrome helper processes because some pages have scripts on them that use large amounts of cpu or memory, even when not displayed. I like that about Chrome; you can kill the resource intensive pages without bringing the main process down. This is not possible with Firefox; it is one large process for the browser with separate plugin processes.
Yes but the video content on
Yes but the video content on some websites requires flash, so switching flash off does not solve the problem, there needs to be user controlled resource allocation and video ad limiting options built into the browser. Ads(video based) should receive the lowest priority for system/browser resources and any degradation of the users browsing experience must be prevented. Users should be able to only approve scripts from the visited page, and be able to limit the scripting options available to the pushed out ad content, that mostly originates from outside the websites domain/site. There is too much control over the user’s browsing experience via the scripts that are being pushed out with the ads, and this is what is being abused, and otherwise used to push malware, and other potentially dangerous code. The very reasons for ad blocking existing should tell the browser designers that its time to provide their browsers with some built-in Ad pusher whitelisting/ad blocking functionality before things get worse.
“Unfortunately, this seems to
“Unfortunately, this seems to activate Flash for the entire page.”
There is an add-on for that, Click to Play per-element: https://addons.mozilla.org/hu/firefox/addon/click-to-play-per-element/?src=ss
In case you wonder, there is no performance impact whatsoever, no compatibility problem when Firefox is updating, and it doesn’t eat laundries. Happy browsing!
I guess the Firefox devs just
I guess the Firefox devs just gave me yet another reason to switch to another browser… (memory leaks and crashes being the other main reasons)
While I don’t like Chrome because of Google, it looks like the only real option left. Unless they go the same route of course…
It’s up to the server owner to decide if to give HTTP or HTTPS, and it’s up to the users to decide if they want to use HTTP or HTTPS (where available).
It should NOT be up to the browser to decide which protocol to use.
If I put http, I expect to get http unless the server re-directs me to https.
If you like Firefox, but
If you like Firefox, but don’t like some of the nonsensical decisions Mozilla make (like dumping the perfectly functional UI for a Chrome knockoff that hides all the functions behind a submenu-behind-a-menu), you might want to take a look at Palemoon. It’s essentially the pre-Australis codebase withsecurity and functionality updates from post-Australis rolled in. There are a handful of incompatible extensions after a recent GUID change (https://addons.palemoon.org/resources/incompatible/).
Thank you. I’ll take a look
Thank you. I’ll take a look at it.
I don’t offer http a on my
I don’t offer http a on my sites, because sl certs are expensive and the alternative is self signed which confuse people when they get the sl warning.
If you want to force http so, make it easy for webmaster so. Overturn the ssl cert mafia.
Just today I’m reading the
Just today I’m reading the reader posts on the Tech report’s website I’m scrolled halfway down the webpage, and Bam, an annoying video ad loads and the webpage jumps to the top every time a new ad loads. I scroll down, attempt to read more posts, and Bam back to the top, this happens one more time, and I then pause the ad.
All websites should come with a report an annoying ad button, and let any user, logged on or not, to log/file a complaint with the website manager. A complaint button should be placed below the ad, and when pressed it logs the ad, and the ad script running, and the website pushing the ad content. This functionality should also be used for the browser whitelist, and the offending ad website, and further disruptive ad script should be blocked in the browser, this is the type of functionality that should be built into browsers, the ability to have a complaint button attached to every ad and when the user clicks the button the ads pusher’s identifying information and script is documented and the information sent to a whitelisting/blacklisting service. These damn ads are getting to be close to denying the user the ability to even browse any content, and these forms of disruptive ads should result in fines to the companies that push them.