Re: [EXT] RE: Widespread Firefox issues

[Charles Bronson <cbronson () iec-electronics com>]

From: NANOG <nanog-bounces () nanog org> on behalf of Keith Medcalf <kmedcalf () dessus com>
Sent: Saturday, May 4, 2019 3:14:53 AM
To: NANOG list
Cc: Constantine A. Murenin
Subject: [EXT] RE: Widespread Firefox issues


HTTPS: has nothing to do with the website being "secure".  https: means that transport layer security (encryption) is 
in effect.  https: is a PRIVACY measure, not a SECURITY measure.

---
The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.


> -----Original Message-----
> From: NANOG [ mailto:nanog-bounces () nanog org] On Behalf Of Constantine
> A. Murenin
> Sent: Friday, 3 May, 2019 21:02
> To: Brielle Bruns
> Cc: NANOG list
> Subject: Re: Widespread Firefox issues
>
> On Fri, 3 May 2019 at 20:57, Brielle Bruns <bruns () 2mbit com> wrote:
>
>
>       Just an FYI since this is bound to impact users:
>
>       https://bugzilla.mozilla.org/show_bug.cgi?id=1548973
>
>       Basically, Mozilla forgot to renew an intermediate cert, and
> people's
>       Firefox browsers have mass-disabled addons.
>
>       Whoops.
>
>
>
> This is why it's important that every single website on the internet
> is available ONLY over HTTPS.  Don't forget to install an HSTS
> policy, too, so, if anyone ever visits Kazakhstan or a security-
> conscious corporate office, they'll be prevented from accessing the
> cute pictures of cats on your fully static website.  Of course, don't
> forget to abandon HTTP, too, and simply issue 301 Moved Permanently
> redirects from all HTTP targets to HTTPS, to cover all the bases.
>
> Backwards compatibility?  Don't you worry — no browser lets anyone
> remove HSTS, once installed, so, you're golden.  And HTTPS links
> won't fallback to HTTP, either, so, you're good there, too — your
> cute cats are safe and secure, and once folks link to your new site
> under https://, your future self will be safe and secure from ever
> having the option to go insecure again.  I mean, why would anyone go
> "insecure"?  Especially now with LetsEncrypt?
>
>
> Oh, wait…
>
>
> Wait a moment, and who's the biggest player behind the HTTPS-only
> movement?  Oh, and Mozilla's one of the biggest backers of
> LetsEncrypt, too?  I see…  Well, nothing to see here, move along!
> #TooBigToFail.
>
>
> C.

I may be wrong and if so, I am happy to be corrected, but I don't think that statement is entirely true. The 
certificate not only encrypts the connection, it also verifies that you are connecting to the server you intend to. 
That second component is a security measure.


Charles Bronson