Mozilla has delivered it a few days ago, the latest version of its Firefox browser. The menu updates and changes that came with Firefox 37 in terms of safety, the attention of more than one person was attracted to opportunistic encryption. Firefox now integrates "opportunistic encryption HTTP traffic when a server supports HTTP / 2 AltSvc" Mozilla announced on his blog.
It's been a while since we praised the qualities of the HTTPS protocol in terms of safety. HTTPS encryption offers protection against hand-in-the-middle attacks designed to intercept unsecured traffic, whereas the HTTP traffic can be easily handled or supervised by malicious. But for one reason or another, many web sites still dragging their steps towards the adoption of HTTPS and therefore continue to publish all or part of their contents without encryption.
With the default activation opportunistic encryption (OE Opportunistic Encryption), Mozilla ensures quantify where possible any web traffic via Firefox 37.
OE actually allows any system which, when connected to another system tries to use cryptographic methods to establish communication. When this is not possible, communication is done through an unencrypted channel. In this way, it is not necessary to have an agreement in advance between the two systems.
In the case of Firefox, this will encrypt all communications if the servers or sites support http protocols / 2 AltSvc.
First Firefox verifies that there is a Service http / 2 on port 443, said Patrick McManus, developer at Mozilla. "When a session is established with this port, it will start directing queries that would normally be sent in clear text on port 80 (http) on port 443 with encryption instead. There will be no delay in responsiveness because the new connection is fully established in the background before being used. If the alternative service (port 443) becomes unavailable or can not be verified, Firefox will automatically return to the use of clear text on port 80. "A he added.
OE however a great defect. This is his lack of cryptographic authentication. Opportunistic encryption does not actually validate a connected server is operated by the organization who claims his property. In addition, it does not protect against man-in-the-middle attacks such as HTTPS done.
Anyway, better unauthenticated encryption than no encryption at all, said McManus. Mozilla developer also added that the EO "creates some confidentiality facing passive listening."
OE is also not appreciated by all observers. When the idea that it becomes an official part of the HTTP 2.0 specification was proposed - there are 17 months ago - it has attracted much criticism. Distrust opportunistic encryption lies indeed in the fact that it might encourage some sites do not use HTTPS protections that are safer.
I founded the Blog DepoTech in January 2015. Self-taught in development, I have always pushed my curiosity about the topics,Web and Tech news.
ConversionConversion EmoticonEmoticon