Readit NewsAnd five years isn't "fairly recent".
One would also note Spotify is a failing business, and it was failing even harder then.
The majority of users had no idea and it didn't affect them at all. Nor is there any evidence that it had any impact on Spotify's business.
Also, “remember this cert forever” (cert pinning) has been an ops disaster for a lot of sites that have tried it. So in practice “the first time” might be more like every week or every month. What the risk that a coffee shop will not serve you a malicious cert once a week?
Also if they do it and you move back to your home connection… the site is broken there because now it’s returning a different one than was pinned (by the attacker!).
I think a good idea might be to have TOFU and self-signed only as a fallback. If there was no initial mismatch, and then upate cert periodically.
Er... no. It means that Firefox will only connect to websites that the domain administrator of the system approves of. You, as the administrator of a computer, can install whatever X.509 roots of trust you want. Including a root of trust you own, which can issue certificates for whatever websites you approve of.
Today, where there are residential users who can't get the attention of big companies, you'd probably then run a local forward-proxy that re-wraps connections to sites you trust, with certificates rooted in your root-of-trust.
But this is just a sociological evolution of the original design intent of X.509: where each corporate/institutional/etc domain would directly manage its own trust, acting as its own CA and making its own trust declarations about each site on the internet, granting each site it trusts a cert for that site to use when computers from that domain connect to it. Just like how client certs work — in reverse.
(How would that work? You'd configure your web server with a mapping from IP range to cert+privkey files. Made sense back when there was a 1:1 relationship between one class-A or class-B IP range, one Autonomous System, and one company/institution large enough to think of itself as its own ISP with its own "Internet safety" department.)
That is a completely unreasonable assumption. The barriers of entry have been greatly increased.
How many users have devices that they are really administrators of? Fewer and fewer.
What is the technical challenge of setting up your own HTTP server that can be browsed with an off the shelf browser on your local computer?
As others have said, FF doesn't have a lot of leverage left to influence those type of decisions, but Safari might. Not sure what their position is on this proposal.
The one pager has a section on stakeholder feedback [0], but doesn't name them for some reason.
[0] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
They should hunker down and make the best browser they can, implementing their best web. It worked 20 years ago, and in many ways the circumstances are the same. We have tech monopolies proposing ludicrous "content security" mechanisms. Where would Mozilla have been if they tried making some sort of half baked "less evil" form of Microsoft Janus DRM[1]?
People are going to get sick of how intrusive DRM is becoming, and there should be an alternative waiting for them.
Every person who has content they thought they purchased "expire" and be erased from their device, or who can no longer use their expensive projector after the latest mandatory update.
I evangelized heavily for Firefox in the 1.x days. People were sick of IE6, and were glad to have Firefox. I worked at a computer store and probably converted 100+ people.
DRM isn't going away.
The media ecosystem is not going to be enhanced by making DRM more restrictive. Netflix could completely deactivate all DRM today, and it would change nothing.
Apple completely abandoned their "FairPlay" iTunes music DRM because it became evident that it was not needed.
But in this case it could report "sure, this is a real user alright" by being its own attester, can't it?
Microsoft and Real Player pushed hard for an integrated ActiveX based DRM ecosystem over a decade ago. I'm so glad that Mozilla flatly refused to entertain such idiocy. I sure wish that Mozilla still existed.
Mozilla is now just a "pick me" [1] organization to big content. They should own being a browser that caters to users, not platforms. Because they will end up with nothing.
[1]: https://www.urbandictionary.com/define.php?term=Pick%20me
DRM is mostly security theater anyway. Until a few years ago, the Spotify client just left unencrypted mp3s cached locally. And they stopped DRMing music over a decade ago. People are willing to pay a reasonable price for first party content.
If a company insist on DRM, then they should be on their own.
If we make it too easy, then they will just use it everywhere.
(I wish we could blog about this one day... maybe in a few decades, hah. Learning more about the government's surveillance capabilities has been interesting.)
I agree with you on hardware 2FA tokens. We've since ordered them and will start mandating them. The purpose of this blog post is to communicate that what is traditionally considered 2FA isn't actually 2FA if you follow the default Google flow. We're certainly not making any claims that "we are the world's most secure company"; we are just making the claim that "what appears to be MFA isn't always MFA".
(I may have to delete this comment in a bit...)
I really like TOTP. It gives me more flexibility to control keys on my end. And you can still use a Yubikey to secure your private TOTP key. But you can also choose to copy your private key to multiple hardware tokens without needing anyone's permission. Properly used, you can get most of the benefit of FIDO2 with a lot more flexibility.
I actually recently deployed TOTP, and everyone was quite happy with it. But knowing that Google is syncing private keys around by default, I no longer think we can trust it.