2020-19-11 No Mozilla, We Don't Want You To Break The Web            xkp
========================================================================

I recently saw this announcement from Mozilla:

https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/

From TFA:

> When you enable HTTPS-Only Mode:
>
>    Firefox attempts to establish fully secure connections to every
>    website, and Firefox asks for your permission before connecting to
>    a website that doesn't support secure connections.

To me this is mostly reasonable. It's reasonable for two reasons:

1. It has to be enabled. I see benefits in this being manageable via
group policy or similar

2. It warns (but doesn't stop) you that content doesn't support HTTPS
connections

Just because a connection is over HTTPS doesn't mean it's secure. Just
because a connection is over HTTP doesn't mean it's insecure. The
wording implies HTTP connections are insecure, but I understand that
there's only so much space for a warning pop-up.

The part of Mozilla's piece that caught my interest was this:

> The future of the web is HTTPS-Only
>
> Once HTTPS becomes even more widely supported by websites than it is
> today, we expect it will be possible for web browsers to deprecate
> HTTP connections and require HTTPS for all websites. In summary,
> HTTPS-Only Mode is the future of web browing!

I posted a toot on Mastodon:

https://mastodon.social/@stevelord/105230641520893790

A few people didn't quite understand why Mozilla's desire to end HTTP
support is wrong. So here's an explanation of why Mozilla's desire to
remove HTTP support is a bad move and we should oppose rather than
celebrate it.

## It Breaks Parts Of The Web

There's been a strong push towards HTTPS over the past few years. It has
it's trade-offs. On the one hand the push for HTTPS helps encrypt
connections where encryption would be preferential. On the other hand
Google penalizing HTTP only sites in search results is somewhat
problematic when it comes to information better served over HTTP - e.g.
for systems that don't generally support current HTTPS.

It also introduces a moving target for websites to be indexed and
accessible.  HTTP is always HTTP. HTTPS will one day be an as-yet
unreleased version of TLS over QUIC, and woe betide anyone who hasn't
upgraded to whatever Google tells you is acceptable HTTPS.

And it will be Google telling you what's acceptable, not anyone else.
They own the search visibility and they own the web browser most people
use. This is already happening. It was them driving HTTPS in the first
place.

In the case of upgrading traffic to HTTPS this is good for most users in
most situations. There are scenarios in which this is not good - e.g.
where the HTTP and HTTPS sites don't match and a HSTS file stops HTTP
from working, but thankfully such edge cases should be extremely rare.

We should acknowledge making the change introduces previously
non-existent breaking edge cases. At the same time the trade-off is an
overall net positive for situations where the connection could otherwise
be insecure.

Before this push, HTTP was commonplace. Even when this push to HTTPS
started there was a lag before HTTPS links became commonplace. Older
articles on news sites like the BBC or Guardian will still link to HTTP
URLs, that are then redirected to HTTPS by the destination server before
being served. Removing support for HTTP breaks these links.

There are two ways that this can be resolved:

1. On encountering a HTTP link, use HTTPS first and fallback to HTTP
with a warning if HTTPS is unavailable 2. Stop parsing HTTP at all and
tell people to change their links to HTTPS

Mozilla are rolling out Option 1 with an opt-in. I'm sure over time,
Firefox will try to make this opt-out.

Option 2 just isn't practical. That doesn't mean it won't be tried. It
just won't succeed in a way that gets a user clicking on a link to the
content they requested. At this point, the browser is working *against
the user's direct request*. So I'm just going to say this once:

If you're going to go against the direct will of the user you're
travelling in the wrong direction.

Mozilla might consider it a success if they never re-enable HTTP, but
people will just use a different browser to access HTTP content.

There is an idea that somehow TLS is the only way to encrypt things and
that TLS == Secure and everything else is not.

In reality things are more complicated. This is how DoH came to be
championed by browser and web devs with a facile understanding of local
networking, and villified by network protocol designers like Paul Vixie.

The reality is that security is riddled with trade-offs that need to be
considered within a greater than binary secure-or-not context.

## HTTP Doesn't mean insecure

I don't run HTTPS exclusively on my home network. Why? Because my home
network is sufficiently secured against MITM threats for my own threat
model. If I need encrypted access to a service at home I can tunnel over
SSH. TLS only adds overhead where a bearer network is already
appropriately encrypted.

> But what if someone breaks into your wifi network?

Then I have bigger problems than TLS, but I'll know when a new device
joins my network. If they work harder to get in without me picking it up
I'll know I have serious problems TLS will not address.

Where HTTP is insecure is when something messes with you between you and
the target site. In the US, some ISPs routinely mess with customer
networks. I resolved this problem by using an ISP that doesn't mess with
my network. I appreciate that not everyone has that luxury. In places
where I don't have control over possible ISP interference I use VPNs. I
have my own VPNs for exit locations not covered by my Mullvad
subscription.

I accept different people have different setups with different threat
models, I'm just writing about mine here.

So when we say HTTP is insecure it's important to say against what. The
most common thing injected into HTTP traffic in my experience of
attacking wifi hotspots are login pages and ads. Sometimes these ads
serve malware, which brings me on to my next point.

# HTTPS Doesn't mean a site is secure

If you read and trust what Mozilla, Google and summer children may tell
you, you might think HTTPS is secure and HTTP isn't, end of. Forgive me
for saying this is naive and that years of security research has shown
HTTPS security to be shall we say... complex?

TLS relies upon what's called a Web of Trust. This is a collection of
certificates that are considered trusted by your browser. Most blindly
accept all of these certificates. If you review those certificates
you'll see that many of these certificate authorities operate in spaces
you'll never visit. You don't know these guys. You don't know under what
circumstances they might screw you over.

You might look at the China Financial Certification Authority and think
they're not the kind of organisation you want to allow to issue
certificates that could be used to man-in-the-middle you.

But then you'd miss Digicert, who bought Symantec after they abused
certificate issuing so much that Google threatened to remove them from
Chrome if they didn't change their ways.

It's fair to say that an abused certificate by one issuer doesn't weaken
HTTPS as a whole. But its perfectly possible to misconfigure HTTPS in
ways that make interception or other attacks possible. Cipher and
downgrade settings can leave sites and browsers wide open. TLS is an
incredibly complicated protocol with complex parsers in complex
libraries open to complex memory corruption and configuration bugs.

Historically you would go to a website, make a request to the website,
get some HTML and then send separate requests to the same site for some
graphics and maybe a Midi file.

Nowadays you make a request to the website and are redirected to the
nearest Content Delivery Network (CDN) server. Your browser starts
downloading HTML and is redirected to other servers for stylesheets,
javascript, images.

The content you download often has some user-generated content on the
page. Thinking about what is possible, if the objective is to steal or
modify content, an attacker can target:

* The CDN infrastructure or any of the servers along the request chain
* The TLS configuration of any servers in the request chain
* The ability to upload user content (e.g. uploading malicious content
 for access later)
* Any server-side applications involved in the request chain
* Any project or supply chain dependencies on systems or applications
 involved in the request chain
* Other applications or user content uploads hosted on any servers along
 the request chain

That is a *lot* to secure. I'm not saying HTTPS should be avoided. What
I'm saying here is that HTTPS is one part of a much broader information
assurance requirement. It is a tool in the box. It is not the box.

# Complexity And Insecurity

There are two common approaches to managing insecurity I'd like to
highlight.  I'll refer to these as the Microsoft approach and the
OpenBSD approach:

1. The Microsoft Approach: Mitigating exploit classes through increased
complexity is a net good as it increases exploitation effort and cost

2. The OpenBSD Approach: Complexity increases attack surface.

There's a computing aphorism I feel is relevant here, Greenspun's Tenth
Law:

> Any sufficiently complicated C or Fortran program contains an ad hoc,
> informally-specified, bug-ridden, slow implementation of half of
> Common Lisp.

If you switch off browser scripting and use HTTP, an attacker's
exploitable (for values of remote code execution) surface area drops
through the floor compared to the same request over HTTPS with browser
scripting enabled.

Gwern as usual has fascinating comments on accidentally Turing Complete
systems:

https://www.gwern.net/Turing-complete

But short of a vulnerability in file formats or HTML parsing, with
scripting turned off the impact of MITM changes substantially. The web
was designed to display markup, not execute code. Now people who make a
lot of money from executing code want to tell you what the web should
and shouldn't do.

Security is a complicated and highly nuanced field and every decision we
make has a security tradeoff. It's easy to get distracted and convince
ourselves that we're doing good when we're doing harm. We can shout down
legitimate concerns over the consequences of our actions in the name of
security and progress theatre.

We could put effort into securing scripting languages and web extensions
but instead are focusing on the crypto as a way to avoid tackling it.

As the web browser has slowly gained the ability to rewrite the OS in
its own image, that *half of Common Lisp* is growing into a quarter of
Smalltalk. Nobody asked for it, but Google won. Mozilla exists solely so
Google can claim it doesn't have a browser monopoly, nothing more.
Cutting out HTTP means cutting out the web. The day that happens is the
day I cut out Mozilla.

Drew DeVault wrote some thoughts I share on the web here:

https://drewdevault.com/2020/08/13/Web-browsers-need-to-stop.html

Drew's gemini presence is down right now, but when back up I think his
piece will be here:

gemini://drewdevault.com/2020/08/13/Web-browsers-need-to-stop.gmi

You are viewing proxied material from republic.circumlunar.space. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.