Firefox Users Reach HTTPS Encryption Milestone (techcrunch.com) 63
For the first time ever, secure HTTPS encryption was used for over half the pageloads served to Mozilla users, representing a big milestone for encryption. TechCrunch reports on the telemetry data tweeted by the Head of Let's Encrypt:
Mozilla, which is one of the organizations backing Let's Encrypt, was reporting that 40% of page views were encrypted as of December 2015. So it's an impressively speedy rise...
The Let's Encrypt initiative, which exited beta back in April, is doing some of that work by providing sites with free digital certificates to help accelerate the switch to HTTPS. According to [co-founder Josh] Aas, Let's Encrypt added more than a million new active certificates in the past week -- which is also a significant step up. In the initiative's first six months (when still in beta) it only issued around 1.7 million certificates in all.
The "50% HTTPS" figure is just a one-day snapshot, and it's from "only a subset of Firefox users who are running Mozilla's telemetry browser...not default switched on for most Firefox users (only for users of pre-release Firefox builds)." But the biggest caveat is it's only counting Firefox users, which in July represented just 7.7% of web surfers (according to Statista), behind both Chrome (49.5%) and Safari (13.68%) -- but also ahead of Internet Explorer (5.4%) and Opera (5.99%).
The Let's Encrypt initiative, which exited beta back in April, is doing some of that work by providing sites with free digital certificates to help accelerate the switch to HTTPS. According to [co-founder Josh] Aas, Let's Encrypt added more than a million new active certificates in the past week -- which is also a significant step up. In the initiative's first six months (when still in beta) it only issued around 1.7 million certificates in all.
The "50% HTTPS" figure is just a one-day snapshot, and it's from "only a subset of Firefox users who are running Mozilla's telemetry browser...not default switched on for most Firefox users (only for users of pre-release Firefox builds)." But the biggest caveat is it's only counting Firefox users, which in July represented just 7.7% of web surfers (according to Statista), behind both Chrome (49.5%) and Safari (13.68%) -- but also ahead of Internet Explorer (5.4%) and Opera (5.99%).
50% of Firefox users (Score:2, Funny)
All three of them.
Re: (Score:2)
that's wrong. A few telemetry features are in each firefox and on the first run you get a passive notification "Firefox collects some data [learn more][disable]".
Re: (Score:1)
Re: (Score:2)
I am having 45 ESR from mozilla.org
Re: (Score:2)
They are spying and it's called telemetry. There are ways to disable it.
Have a look at ffprofile.com for more firefox tweaks. There is a lot of internal spying, which can be removed on a profile generated with ffprofile.
Re: (Score:2)
certificates (Score:1)
Not worth the paper they're printed on. It's just another form of tracking.
Re: (Score:1)
Firefox should handle self signed certificates better. It treats them as dodgy, but they are not.
A certificate authority injected between you and a known server represents an unwanted man-in-the-middle.
I'll admit that the last time I dealt with this on FF, it was a few revisions ago. Self-signed certs are easy enough to add to the browser, any browser really. Will the average user know how to deal with this and take the appropriate steps? No.
Adding your own CA may take a little more work, but is what you need to do to avoid MITM attacks.
Re: (Score:2)
And you should read the section about ocsp stapling.
Stapling ineffective for server and client on 1 IP (Score:2)
OCSP stapling means the server contacts the CA on the client's behalf and returns a cached OCSP response signed by the CA to the client. Thus the CA sees one OCSP request from the server per day as the server notices that the cached response is about to expire, as opposed to a request from each client. But in the case that Anonymous Coward #53085831 described, both the server and the client are on a LAN behind a NAT. When both the client and server have the same IPv4 address, stapling isn't quite as effecti
Re: (Score:2)
It's still only informing them, that the certificate is still in use. And if its your lan and you're really want to avoid it, switch OCSP off in the browsers in your lan. You can do it there, not like an internet site, which cannot avoid the default config of its visitors.
Re: (Score:2)
Then the problem becomes setting up the means through which the CA's root certificate is "pre-distributed over a secure sideband", such as a head of household wanting to make a private server available to visiting friends and family or a public library wanting to make a private server available to visiting patrons.
Re: (Score:1)
You mean like https://www.google.com [google.com]?
Whose certificate is issued by " Google Internet Authority G2".
Self-signed is OK for them, but not for us. Get it?
Any company can be a CA (Score:2)
Self-signed is OK for [Google], but not for us. Get it?
Any company can join the major web browsers' root certificate programs so long as it can afford the cost of operating a CA and hiring a third-party auditor to verify that its issuance policy is being followed. Google is such a company.
Re: (Score:2)
Which goes to show you how leaking of telemetry info is one of the biggest problems with certs.
How so?
So I have a server on my local network. To enable https, it needs a cert and you click through a form to create a Lets Encrypt cert. BUT if you do that, then you've injected an outside body in the verification!
What do you mean? If you mean the server validates its identity to the certificate authority, then yes, that's true. That's the point.
Each time it contacts that to check the cert, its informing the certificate company that you are accessing your own server on your own network
Let's Encrypt intends that the certificate issuance process is automated, such as with a cronjob. Thus, if you do things right, the server will periodically re-validate your site with Let's Encrypt and renew certificates automatically. This is intended.
If you mean that clients will query the CA's OCSP servers to verify the validity of the certificate, yes, this is true
Re: (Score:3)
That's why let's encrypt is free.
Re: I like the idea of encryption (Score:1)
It's only "free" if you don't value your time (the certs expire every few months), or if you don't need an EV cert, or if you don't need a wildcard cert. It's a fun toy for your blog that nobody reads, but that's about it.
Re: (Score:2, Informative)
It's only "free" if you don't value your time (the certs expire every few months), or if you don't need an EV cert, or if you don't need a wildcard cert.
Let's Encrypt intends that the installation and maintenance (e.g. renewal) is automated. A simple daily cronjob checks if any Let's Encrypt certs on that system are in need of renewal and, if so, handles the validation, issuance, and installation of those certs completely automatically. If anything, it dramatically *saves* admin time.
The vast majority of sites don't need EV or wildcard certs, so Let's Encrypt is perfect for them.
Re: I like the idea of encryption (Score:2)
This.
One of the arms of my business is web hosting (among web application development, and other online services). LetsEncrypt is fantastic. Automated SSL/TLS certificates makes life easier, and my small business clients really appreciate the free certificates. I really appreciate not having to deal with renewing them every year or two because its kind of a PITA.
For my own business sites I do use EV certs and its definitely a hassle to renew them.
Re: (Score:2)
That's why LE is cheaper, you are forced to automate it causing you to spend way less time on certs. It's just part of setting up a web server and not all that complicated. Additionally both free and paid web panels now include (which you would be using if you don't know how to install a cert in less than 5m) a module that does it for you.
You need a domain, which not everyone has (Score:2)
Let's Encrypt is rate-limited in such a way that it's only "free" if you own a valid domain. Someone setting up a web server on a private network, such as inside a home, library, or museum, might not own a domain for that purpose.
100% of the viewers of my website use HTTPS (Score:2)
Re: (Score:2)
Have you run analytics on how many potential customers you are turning away for not supporting TLS 1.2?
accuracy of numbers? (Score:4, Informative)
I'd be willing to bet that most security-conscious Firefox users turn off telemetry (as I did), which would skew the numbers. Chances are that they hit this milestone earlier than now.
Re: (Score:2)
How would you recommend that developers "learn what usability and accessibility mean" without observing users?
Re: (Score:3)
> By that standard, just using the web amounts to using spyware
It is. Without adblock, self-destructing-cookies and so on, almost every site is spyware. Have a look at the domains, which such tools block on slashdot. And then on a major news site. Its a nightmare, really.
Hotel Tango Foxtrot do they know this? (Score:2)
Is FF phoning home wto mozilla with this statistic, and if so is there a setting we can turn off to stop it?
Re: (Score:2)
Its on by default, but you get a notification on the first run that it's enabled with a "disable" button.
Re: (Score:1)
Re: (Score:2)
My 45 ESR asks me if i want to disable it on first run. Did not try newer ones, yet.
Re: (Score:2)
You know, you could read the damn summary, I know TL;DR
not default switched on for most Firefox users (only for users of pre-release Firefox builds)."
There's probably a setting to disable it in preview builds, but the whole point of using them is for Mozilla to test so... don't volunteer as a tester?
Re: (Score:2)
... Letsencrypt provided certificates that lasted longer than 90 days. Ridiculous. Make it one year at least. Please.
The process is intended to be automated, such as with a cronjob, and the short lifetime is intended to resolve issues relating to the general suckitude of revocation.
Provided the web host supports cert automation (Score:2)
Automated renewal is the intent. In practice, it took several months after Let's Encrypt entered public beta for some web hosting providers to let users even upload their own certificates without having to file a support ticket. (See, for example, a blog post from a month ago [webfaction.com].) It got so bad that one passive-aggressive fellow wrote a tool to request a certificate from Let's Encrypt and automatically file a support ticket [github.com].
Let's Encrypt has done a good job (Score:2)
Translation (Score:2)
The "50% HTTPS" figure is just a one-day snapshot, and it's from "only a subset of Firefox users who are running Mozilla's telemetry browser...not default switched on for most Firefox users (only for users of pre-release Firefox builds)." But the biggest caveat is it's only counting Firefox users, which in July represented just 7.7% of web surfers (according to Statista), behind both Chrome (49.5%) and Safari (13.68%) -- but also ahead of Internet Explorer (5.4%) and Opera (5.99%).
Translation: statistics are manipulated.
That's why I never believe any statistic, regardless of the source.