From: NANOG <nanog-boun...@nanog.org> on behalf of Keith Medcalf <kmedc...@dessus.com> Sent: Saturday, May 4, 2019 3:14:53 AM To: NANOG list Cc: Constantine A. Murenin Subject: [EXT] RE: Widespread Firefox issues
HTTPS: has nothing to do with the website being "secure". https: means that transport layer security (encryption) is in effect. https: is a PRIVACY measure, not a SECURITY measure. --- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume. >-----Original Message----- >From: NANOG [ mailto:nanog-boun...@nanog.org] On Behalf Of Constantine >A. Murenin >Sent: Friday, 3 May, 2019 21:02 >To: Brielle Bruns >Cc: NANOG list >Subject: Re: Widespread Firefox issues > >On Fri, 3 May 2019 at 20:57, Brielle Bruns <br...@2mbit.com> wrote: > > > Just an FYI since this is bound to impact users: > > https://bugzilla.mozilla.org/show_bug.cgi?id=1548973 > > Basically, Mozilla forgot to renew an intermediate cert, and >people's > Firefox browsers have mass-disabled addons. > > Whoops. > > > >This is why it's important that every single website on the internet >is available ONLY over HTTPS. Don't forget to install an HSTS >policy, too, so, if anyone ever visits Kazakhstan or a security- >conscious corporate office, they'll be prevented from accessing the >cute pictures of cats on your fully static website. Of course, don't >forget to abandon HTTP, too, and simply issue 301 Moved Permanently >redirects from all HTTP targets to HTTPS, to cover all the bases. > >Backwards compatibility? Don't you worry — no browser lets anyone >remove HSTS, once installed, so, you're golden. And HTTPS links >won't fallback to HTTP, either, so, you're good there, too — your >cute cats are safe and secure, and once folks link to your new site >under https://, your future self will be safe and secure from ever >having the option to go insecure again. I mean, why would anyone go >"insecure"? Especially now with LetsEncrypt? > > >Oh, wait… > > >Wait a moment, and who's the biggest player behind the HTTPS-only >movement? Oh, and Mozilla's one of the biggest backers of >LetsEncrypt, too? I see… Well, nothing to see here, move along! >#TooBigToFail. > > >C. I may be wrong and if so, I am happy to be corrected, but I don't think that statement is entirely true. The certificate not only encrypts the connection, it also verifies that you are connecting to the server you intend to. That second component is a security measure. Charles Bronson
