Get Paid to Participate - up to $1 per post!     Twitter     Facebook     Google+
Hosting Discussion
 

Hosting Discussion > Operating a Web Hosting Business > Promotion and Marketing > Firefox Announces Secure Contexts Everywhere for New Features
forgot password?



Reply


Old
  Post #1 (permalink)   01-20-2018, 03:30 PM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 5,378
Send a message via MSN to easyhostmedia

Status: easyhostmedia is offline
All web-exposed features on Firefox must be served on HTTPS/TLS from now on
HTTPS is not just for websites, despite the fact that this is a common misconception. Granted, securing the connection between a website and a browser is the main job of HTTPS. But, there are certain ‘features’ that we use on websites that enhance our experience. These features include familiar names such as HTTP/2, Geolocation, Payment Request API, etc.

Until now, some of these features needed to be Secure Contexts (HTTPS-only). From now on, this is going to change. “Effective immediately, all new features that are web-exposed are to be restricted to secure contexts,” Anne van Kesteren wrote on the Mozilla blog yesterday.

Further explaining the “web-exposed” features falling under the umbrella of secure contexts he writes,

“Web-exposed means that the feature is observable from a web page or server, whether through JavaScript, CSS, HTTP, media formats, etc. A feature can be anything from an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, to bigger features such as WebVR. In contrast, a new CSS color keyword would likely not be restricted to secure contexts.”

What are Secure Contexts?
As a result of a continuous push to encrypt the internet, we’re witnessing a remarkable migration to HTTPS. Undoubtedly, it’s a good thing. However, just a Green Padlock isn’t enough. Encrypting entire contexts is highly desirable, and that’s what ‘secure contexts’ is intended for.

Mozilla defines it as a Window or Worker for which:

“…there is reasonable confidence that the content has been delivered securely (via HTTPS/TLS), and for which the potential for communication with contexts that are not secure is limited.”

Let’s make this clearer with an example. Suppose you have a website named https://example.com and you have managed to orchestrate an awesome report highlighting the difference between a cat person and a dog person. But this document opens up in a new window that isn’t TLS delivered (without specifying noopener). This website is considered to be an ‘insecure context.’

To put it simply, all the pages – including the parent and opener pages – must be delivered securely to be termed as ‘secure contexts.’

Why Secure Contexts?
Modern-day websites aren’t just meant for web-surfing purposes—they do much more than that. Whether it’s facilitating communication through a microphone, deriving a user’s location (with permission of course), or detecting the motion of a device—these features are becoming a common thing as far as websites are concerned.

These features utilize sensitive data and thus pose a significant risk as far the privacy and credibility of data are concerned. If data is not secured through HTTPS, a hacker/attacker could eavesdrop or tamper with the data using a ‘man-in-the-middle’ attack.

Google announced these same changes to its browser, Chrome, in July of last year.

Current List of Secure Contexts-only Features in Major Browsers
For your reference, here’s a list of features restricted to secure context:

https://developer.mozilla.org/en-US/...ecure_contexts

Additional Resources
Permission.site is a webpage that allows you to test a variety of powerful and permission-gated features over HTTP and HTTPS.

taken from https://www.thesslstore.com/blog/fir...-new-features/
__________________
Terry Robertson - CEO The Easyhost Media Group
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers

Last edited by easyhostmedia : 01-20-2018 at 03:33 PM.
 
 
 
The Following User Says Thank You to easyhostmedia For This Useful Post:
Artashes (01-21-2018)


Old
  Post #2 (permalink)   01-20-2018, 07:05 PM
HD Master
 
whmcsguru's Avatar
 
Join Date: May 2016
Posts: 379
Send a message via Skype™ to whmcsguru

Status: whmcsguru is offline
This is going to come back and bite them in the ass, IF they actually go through with this. ALL content served via ssl? What utter horse crap.

Yes, it's easy in today's world to setup AutoSSL, but not everyone needs, or wants this, and not everyone should need or want this!

Let's forget how 'easy' it is to setup Autossl though, and focus on the sheer numbers of individuals who'd get caught in the horror here. Believe it or not there's bound to be millions STILL using XP , which cannot support SNI at all. So, those people are basically SOL when it comes to Firefox.

Talk about ridiculousness
__________________
Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
+1 - 866-546-8914 / skype - admin_139201 / twitter/facebook - @whmcsguru
 
 
 


Old
  Post #3 (permalink)   01-21-2018, 05:07 AM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 5,378
Send a message via MSN to easyhostmedia

Status: easyhostmedia is offline
Quote:
Originally Posted by whmcsguru View Post
This is going to come back and bite them in the ass, IF they actually go through with this. ALL content served via ssl? What utter horse crap.

Yes, it's easy in today's world to setup AutoSSL, but not everyone needs, or wants this, and not everyone should need or want this!

Let's forget how 'easy' it is to setup Autossl though, and focus on the sheer numbers of individuals who'd get caught in the horror here. Believe it or not there's bound to be millions STILL using XP , which cannot support SNI at all. So, those people are basically SOL when it comes to Firefox.

Talk about ridiculousness
Google doing the same on chrome and i hear MS going to do it on edge as the secret club CA/B forum wants this.

This is the main reason cPanel set up AutoSSL so that all accounts using cpanel can have ssl as standard
__________________
Terry Robertson - CEO The Easyhost Media Group
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers
 
 
 


Old
  Post #4 (permalink)   01-22-2018, 03:00 PM
HD Master
 
whmcsguru's Avatar
 
Join Date: May 2016
Posts: 379
Send a message via Skype™ to whmcsguru

Status: whmcsguru is offline
Google doesn't (yet) force SSL. If they did, there'd be a riot.
They do warn individuals when forms aren't being submitted via SSL however
__________________
Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
+1 - 866-546-8914 / skype - admin_139201 / twitter/facebook - @whmcsguru
 
 
 


Old
  Post #5 (permalink)   01-23-2018, 07:23 AM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 5,378
Send a message via MSN to easyhostmedia

Status: easyhostmedia is offline
Quote:
Originally Posted by whmcsguru View Post
Google doesn't (yet) force SSL. If they did, there'd be a riot.
They do warn individuals when forms aren't being submitted via SSL however
yes but all a start of the same process, if you visit a website that is not under https then you will get a not secure warning

https://www.theregister.co.uk/2017/0...ttps_adoption/

https://motherboard.vice.com/en_us/a...d-chrome-https

https://perezbox.com/2017/08/google-...ps-form-pages/

https://www.thesslstore.com/blog/app...-form-warning/
__________________
Terry Robertson - CEO The Easyhost Media Group
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers
 
 
 


Old
  Post #6 (permalink)   01-23-2018, 06:44 PM
HD Master
 
Join Date: Apr 2015
Posts: 301

Status: Harv45 is offline
Quote:
Originally Posted by whmcsguru View Post
This is going to come back and bite them in the ass, IF they actually go through with this. ALL content served via ssl? What utter horse crap.

Yes, it's easy in today's world to setup AutoSSL, but not everyone needs, or wants this, and not everyone should need or want this!

Let's forget how 'easy' it is to setup Autossl though, and focus on the sheer numbers of individuals who'd get caught in the horror here. Believe it or not there's bound to be millions STILL using XP , which cannot support SNI at all. So, those people are basically SOL when it comes to Firefox.

Talk about ridiculousness
That what they get for using their Grandfather's Duo 2 Core PCs hahaha. But seriously they are probably full of viruses by now anyways so replacing it or failing that just wiping it clean is the way to go.
 
 
 


Old
  Post #7 (permalink)   01-24-2018, 03:02 PM
HD Master
 
whmcsguru's Avatar
 
Join Date: May 2016
Posts: 379
Send a message via Skype™ to whmcsguru

Status: whmcsguru is offline
It really isn't as simple as 'upgrade' or 'wipe it clean'. There are companies with software that literally don't run on anything but XP. The devs of said software don't exist any more, so you can't really just say "hey, upgrade". Hell, a $multi-million , multinational company does this just here in Iowa. John Deere, perhaps you've heard of them?

It's never as simple as "just upgrade" or "just reload". In the case of JD, they've got systems that cost more in maintenance fees than they do to upgrade (as in hardware), and they're just a hardware problem or two away from total combustion. However, the budget is not there for an upgrade the size you're talking about.
__________________
Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
+1 - 866-546-8914 / skype - admin_139201 / twitter/facebook - @whmcsguru
 
 
 


Old
  Post #8 (permalink)   01-24-2018, 03:11 PM
HD Master
 
Join Date: Apr 2015
Posts: 301

Status: Harv45 is offline
Quote:
Originally Posted by whmcsguru View Post
It really isn't as simple as 'upgrade' or 'wipe it clean'. There are companies with software that literally don't run on anything but XP. The devs of said software don't exist any more, so you can't really just say "hey, upgrade". Hell, a $multi-million , multinational company does this just here in Iowa. John Deere, perhaps you've heard of them?

It's never as simple as "just upgrade" or "just reload". In the case of JD, they've got systems that cost more in maintenance fees than they do to upgrade (as in hardware), and they're just a hardware problem or two away from total combustion. However, the budget is not there for an upgrade the size you're talking about.
Corporate businesses are indeed known to be like that where it takes forever to get budgets for such. However you either gotta pick it up or be lost in the "race".

Because even if your a "big player" it won't be long for a more IT competent business to gladly eat them whole otherwise.
 
 
 


Old
  Post #9 (permalink)   01-24-2018, 04:12 PM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 5,378
Send a message via MSN to easyhostmedia

Status: easyhostmedia is offline
recent case in the UK.
The NHS was hit by the WannaCry Ransomware last year as they were using Windows XP and the UK Gov. had decided not to continue to pay Microsoft for security updates.
If you are running a business then you should make sure your IT infrastructure is upto date.
If you are using software/modules that are outdated and dev. no longer exist then it is time you change this
__________________
Terry Robertson - CEO The Easyhost Media Group
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers
 
 
 


Old
  Post #10 (permalink)   01-24-2018, 04:34 PM
HD Master
 
Join Date: Apr 2015
Posts: 301

Status: Harv45 is offline
Quote:
Originally Posted by easyhostmedia View Post
recent case in the UK.
The NHS was hit by the WannaCry Ransomware last year as they were using Windows XP and the UK Gov. had decided not to continue to pay Microsoft for security updates.
If you are running a business then you should make sure your IT infrastructure is upto date.
If you are using software/modules that are outdated and dev. no longer exist then it is time you change this
Exactly, either change your software or update it. You don't? Then either security or the market will make you suffer in the long run.
 
 
 
Reply

Thread Tools

New Post New Post   Old Post Old Post
Posting Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Sponsored By: