{"id":11170,"date":"2018-01-18T12:30:05","date_gmt":"2018-01-18T20:30:05","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/01\/18\/news-4941\/"},"modified":"2018-01-18T12:30:05","modified_gmt":"2018-01-18T20:30:05","slug":"news-4941","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/01\/18\/news-4941\/","title":{"rendered":"Mozilla mandates that new Firefox features rely on encrypted connections"},"content":{"rendered":"

<\/p>\n

Credit to Author: Gregg Keizer| Date: Thu, 18 Jan 2018 10:37:00 -0800<\/strong><\/p>\n

Mozilla this week decreed that future web-facing features of Firefox must meet an under-development standard that requires all browser-to-server-and-back traffic be encrypted.<\/p>\n

“Effective immediately, all new features that are web-exposed are to be restricted to secure contexts,” wrote Mozilla engineer Anne van Kesteren in a post<\/a> to a company blog. “A feature can be anything from an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, to bigger features such as WebVR.”<\/p>\n

Secure contexts<\/i><\/a>, dubbed a “minimum security level,” is a pending standard of the W3 (World Wide Web Consortium), the primary standards body for the web. Secure contexts’ main purpose, according to its documentation: “Application code with access to sensitive or private data be delivered confidentially over authenticated channels that guarantee data integrity.”<\/p>\n

In practice, that means traffic must be encrypted to prevent “man-in-the-middle” attacks in which hackers siphon insecure browser-server traffic by getting between the two and listening.<\/p>\n

Henceforth, any newly-introduced Firefox feature that relies on browser-to-server communication will work only<\/i> across HTTPS connections. Older features and\/or technologies will continue to operate across unencrypted HTTP links on a “case-by-case basis,” said van Kesteren. He also pledged that Mozilla would provide developer tools to “ease the transition to secure contexts.”<\/p>\n

The move isn’t out of the blue: Mozilla first announced intentions to require HTTPS<\/a> in April 2015. The first item of business then was “setting a date after which all new features will be available only to secure websites,” which this week’s missive scratched off the to-do list. Nor was Mozilla flying solo on the tactic, as others, notably Google, have been pressuring sites to convert from HTTP to HTTPS since 2014.<\/p>\n

(Mozilla has been in that hunt as well with its sponsorship of the Let’s Encrypt<\/a> project, which provides free certificates to secure sites. By Mozilla’s tally, 66% of all Firefox-loaded pages were encrypted this month.)<\/p>\n

The next opportunity for Firefox to introduce a new feature or technology that would be immediately affected by its announcement will be Jan. 23, when version 58 is to ship.<\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Gregg Keizer| Date: Thu, 18 Jan 2018 10:37:00 -0800<\/strong><\/p>\n

\n
\n

Mozilla this week decreed that future web-facing features of Firefox must meet an under-development standard that requires all browser-to-server-and-back traffic be encrypted.<\/p>\n

“Effective immediately, all new features that are web-exposed are to be restricted to secure contexts,” wrote Mozilla engineer Anne van Kesteren in a post<\/a> to a company blog. “A feature can be anything from an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, to bigger features such as WebVR.”<\/p>\n