Ask HN: What feature would you want the web to “force” next, after HTTPS?

114 points by chiefofgxbxl ↗ HN
We've seen the push for HTTPS in recent years accelerate and become more and more aggressive (in a good way).

Browsers have arguably led this drive by notifying users that the pages they are viewing are "NOT SECURE", through the use of pad-lock icons in the URL bar or even notifications under textboxes (e.g. Firefox) [0]. Chrome, too, is driving this trend. And with users fearful of sending data over a "non secure connection", they'll be vocal enough to push website owners to fix this issue.

---

So, if you could decide: what feature or measure would you want to see adopted as quickly as the push to make all sites use HTTPS?

[EDIT: kudos if you describe how your new standard could be "forced", e.g. through a URL-bar icon, notifying users somehow, etc. How would you convince other developers and maintainers of large code-bases, websites, browser vendors, etc. that they should throw their support behind your initiative?]

Think ambitiously too -- imagine your proposed feature would have the same backing and urgency as we have with HTTPS, with browsers (for better or for worse) authoritatively "dictating" the new way of doing things.

---

[0] http://cdn.ghacks.net/wp-content/uploads/2017/03/firefox-52.0-warning-insecure-login.png

[1] https://www.troyhunt.com/life-is-about-to-get-harder-for-websites-without-https/

278 comments

[ 2.1 ms ] story [ 295 ms ] thread
Is this some reverse-psychology attempt to point out how fascist it feels when the browser feels it's smarter than you and begins taking its own decisions?
ML driven content blocking for ads and other garbage such as social widgets and beacons. Red screen warning as deceptive on any site that tries to hack its way around the filter.
Wouldn't you by definition not be able to detect working around the filter? Because if you could detect it, why would it not just be another filter condition?
Interesting concept.. one that Google certainly wouldn't implement in Chrome because of their ad-based revenue model.

But I could entirely see a little privacy "eye" icon in the URL bar of Firefox, similar to the padlock icon we have now for HTTPS/certificates.

The eye could turn red and display text for the site you are visiting based on analytics, beacons, web bugs, and so on.

Or how about major social media sites have their icons placed in the URL bar if they have trackers / social media widgets on the current page. This way, it is made explicitly clear to the user that "{Insert social platform here} is tracking you on this page, even while you are logged out, don't have an account, ..."

The difficulty with having the browsers force the standard is getting Google Chrome on board, since they have so many users.

Automated HSTS, revokable public key pins, and certificate transparency.
Agreed, but I'd add ipv6
Agreed, but to those 4 things I'd add DANE TLSA (RFC 6698) and Certification Authority Authorization (CAA) (RFC 6844) as further lines of defence against rogue CAs.
I'd vote for DNS-over-HTTPS or similar tech. Encrypting domain name resolution should help mitigate a gateway or proxy (Comcast) from knowing or blocking sites you visit.
I second this. DNS is still a privacy killer
Solid idea, I like it.
DNS is a non-trivial amount of traffic to go moving from a lightweight UDP protocol to something like HTTPS. Furthermore, that would dramatically increase page load times (for reasonably sized pages) since HTTPs requires more turns.
> dramatically increase page load times

This is true, but with a reasonable cache design, it shouldn't be too bad.

Unfortunately a single page load often contains files from many different domains. Sometimes 10+. So caching may be of limited use.

Although this may be a nice driving factor to get eCommerce sites to stop putting 50 tracking pixels on every page.

That's true. DNS lookups seem like something you can do in parallel though, so I still don't think it's that big of a hit.
Presumably you would keep-alive your DNS over HTTPS connection. That would keep the packet turns the same.
No need to go full https with it, dh once per session, then exchange data (could be over udp)
Doesn't https://dnscrypt.org do that?
Nope, it simply gives you an assurance that the DNS entry you receive hasn't been spoofed and is coming from the DNS server that you expect it to originate from. See their homepage explanation.
SNI puts the DNS names you're connecting to in plaintext at the start of every TLS connection. Running your DNS over an encrypted channel won't stop someone from knowing or blocking the sites you connect to.
Luckily, from 2018 on, SNI will be mostly unnecessary, as LE will support Wildcard certificates, with DNS verification, for many domains in a single certificate.
SNI will still be necessary for when you have multiple servers under one IP (until IPv4 is deprecated, this is necessary), for example on a shared host (which might even have shared IPs under IPv6).

IIRC there are some ways SNI will be encrypted with TLS 1.3 so it's not a problem to begin with.

DNS Crypt (https://dnscrypt.org/) at least partially addresses some concerns with the current DNS specification providing for the authentication of DNS entries (spoofing prevention). I don't think it addresses the privacy concerns of ISP or 3rd party sniffing though.
I always found DNS to be one of the most compelling uses of the blockchain. Namecoin actually did a great job at this.

Effectively if put into practice, ISPs would run name servers that effectively mirror the whole DNS system via blockchain. And if you really wanted to have ultimate privacy you could run it locally on your machine and there would be no way for anyone to know what domains you've looked up.

It's not security related, but: Accessibility.
Yep, browsers should have screen readers built in. It's ridiculous that you have to shell out $1000+ for a JAWS license (there are alternatives, but they need work).
Yeah, I've tried using the free options to sort of test my products, but it's not a realistic test; the most useful work comes from people who use screen readers daily, but it's really hard to test if we've fixed the problem even when it's been identified so we have to go back and forth.

And, I mean, there are accommodations and assistive technology built into the standards. It's just nowhere near as widespread as it should be, in terms of usage, and it's always an afterthought (if it is thought of at all) in frameworks and HTML templates and such. And, because most of the time an inaccessible site or app is so inaccessible as to prevent anyone who would notice from getting far enough in to complain. So, we need good tools for knowing when our stuff is broken from an accessibility standpoint.

I think what I'm getting at is that it should be easy to see errors in accessibility, and maybe search engines should favor sites that at least make an effort.

The problem with testing with assistive technology yourself is you're not a real user who knows the tool well. Also, like browser testing, there are differences between different AT; VoiceOver is used by many visually impaired people but what it supports and how it works is different in a number of ways compared to JAWS or NVDA (e.g. VoiceOver doesn't have "form" and "browse" modes).

Search engines giving more accessible sites a "buff" as Google now does for HTTPS sites is a good idea. They already do in a small way in that having things like proper headings are good for SEO but they could go much further.

Google has their own Accessibility Developer Tools [0] add-on, they could make it a default part of Chrome Dev Tools and make it more prominent.

https://chrome.google.com/webstore/detail/accessibility-deve...

Anyone who needs a screen reader needs it for accessing the whole device so building a screen reader into a browser is kind of pointless. The exception being Google's ChromeVox but that's because on Chromebooks the browser effectively is the OS.

NVDA and Windows's Narrator are already probably good enough but JAWS is better. VoiceOver is built into macOS and iOS and is beyond good enough.

Browsers can do a better job of exposing semantics through accessibility APIs to assistive technology [0]. Browsers could also intelligently make up for the failings of web sites; e.g. when a site uses a div with a click event instead of a button element, present it as a button through the accessibility API based on heuristics. Browser rendering engines already do a lot to visually compensate for errors in HTML, they could do the same for some semantic errors.

[0] http://www.html5accessibility.com

Accessibility is more than just screen readers, too; e.g. there are OS-level settings for increased contrast and differentiation without color that are just about universally ignored on the web.
I second this. Most of the other ideas here are either technologies that don't exist yet or things only nerds care about (I'm a nerd so I can say that).

This would have a meaningful impact on the lives of many in an underserved community.

JavaScript Standard Library created that every browser has "installed" and updated automatically.
Yeah. It's a real shame that the language we need batteries-included in the most (because of code size limitations) is one of the most deficient.
I feel like the mess helps discourage it's use. I shouldn't need a Turing machine in order to read a text document.
While I agree with you, that ship has sailed I think. I'd rather see it take less bandwidth, less memory and less CPU time at least!
Dropping TLS in favor of IPSec. Now every protocol is transparently secure by default and there's no chance of developers accidentally messing it up.
IPSec is beautiful and definitely was the correct way to handle encryption.

IKE and ISAKMP was the problem, that stuff is an absolute nightmare. Maybe now with IKE2 it might get better...

> IPSec is beautiful.

Could you elaborate?

Key management would be a nightmare here. IPSec has very long setup times, and every destination would need a new crypto configuration. This is exactly the problem that TLS was designed to solve, and IPSec and the web are a bad mix.
A simple way to block third party trackers/beacons that's on by default, with a simple one-click to disable it on that page load.
Default encrypted email communications
That's not part of the web.
Given that most people's email is probably through Web apps these days, that's probably not effectively true.
Even if you use a desktop client, email is part of the world wide web.
How do you figure that? If you're using a desktop client, it seems pretty exactly not part of the web.
It seems that I was confused with the definition of the web. I was synonymizing it with Internet. So never mind, email is not part of the web.
- A protocol for sites to get my public PGP key for server side use

- The discontinuation of using SSL certificates for verification of website identities and a move to true fingerprinting ala SSH.

- Deprecation of email or rather its insecurity.

- Logins on websites with a public / private keypair ala SSH.

- A resurgence in sites that let me pick my own anonymous username instead of Facebook, Google or Twitter logins and email addresses as UIDs.

- Blocking of any and all forms of popups, including javascript popups, overlays, cookie banners, browser notifications.

The web is rapidly becoming a place I don't want to visit anymore.

> Deprecation of email or rather its insecurity.

We would need something to replace it with, there is really nothing right now.

While I agree, there is definitely movement and recent movement [0][1] , I just wish I had the knowledge to contribute. I am great and figuring out how things work, breaking them and understanding them. Building from scratch is a bit above my head, albeit I have a few ideas....

[0] https://news.ycombinator.com/item?id=14708783 [1] https://magmadaemon.org/

We already have standards for encrypting/authenticating email transfer between mail servers and between the server and user agent.

This doesn't solve the problem of mail being encrypted in transit. As far as I can tell the server operator can still read the user's mail. What we need is end-to-end encryption, lack of support in MUAs (iphone mail app, thunderbird etc.) is the problem here, it has really nothing to do with the server.

> lack of support in MUAs (iphone mail app, thunderbird etc.)

Thunderbird supports S/MIME out of the box and PGP through an addon, so I'm not sure what other kinds of end-to-end encryption you'd want to see. Not sure about the iPhone mail app.

The login problem was attempted to be solved by Mozilla's "persona", now deprecated. I like the general idea that I strongly authenticate to my browser, which can then "vouch" for me to various sites using cryptographic tokens that are otherwise useless (so no cracking/stealing passwords, etc). The devil of course would be in the details.
The devil is that the corporations able to influence this change directly benefit from current identity systems. Google for example has huge infrastructure in place linking its products together and includes tracking and other features that would only work with the current system.
Sorry that didn't work out :(
My concept (high level) for dealing with things like server and user identities handled by key pairs:

Take keybase (or its conceptual basis) and distribute it. Each domain can host its own key server. You can post proofs on other domains to link domain identities or logins. So now my phone has a key that's attached to the identity jtsummers at legoflambda.org. You have a service. I register the identity jtsummers at legoflambda.org with your service. I can log in using the key from my phone. My laptop has its own key. My yubikey stores a third key for access while I'm traveling without my laptop. Each of those I've connected via some proof mechanism to my key server so I can log into your service using any one of those keys.

Google and others can also host a key server so my user at gmail.com identity can also be used or my facebook.com identity, again with multiple keys associated with them from my various devices. And possession of the private key can also be used to access the same services (perhaps paired with something like a TOTP or other shared secret if you want an extra layer of authentication).

Now you want to send a message to me, you can have a service similar to what keybase offers. You send a message to any one of my public identities or keys, it gets made available to all of them. You know me here on HN, you send it to that identity. You know me by some other forum handle or by my gmail account you use those. And since my public keys are all available, you can send an encrypted message that will be available to any one of my devices (which I can re-encrypt as I add and remove devices).

This also handles a lot of the problem with spam. Spammers now have to take the time to individually encrypt messages for every user. They have to publically post identities and keys so that users can authenticate them. And users can block spammers by blocking the keys associated with them and block an entire identity by blocking all the keys associated with the spamming key. You want to ensure that that email from your bank is legitimate? Your bank should have a publically visible key server that all communications from them make use of. Whether they send the message in the clear with only a signature or if they send an encrypted message to you (preferred for privacy and security anyways).

This also helps with applications like signal/whatsapp which are presently tied to a single client instance. Now, I can associate my whatsapp key with multiple other keys (each on different devices, presumably). So you want to send me a whatsapp message, it can now be sent to all my devices. My phone number can still be an identity used by those services, but it's no longer the only one.

This was a particularly annoying case for me as I travel internationally with a separate phone than my US phone since it's locked, I had to enable WhatsApp on my travel phone using my primary cell number for ease of friends communicating with me (I don't have to get my secondary number to all of them and remind them to switch back once I'm done). If I could have connected my secondary device to my primary one then all messages sent to my main number would have been received by both, and messages sent from either would all appear to the recipient as belonging to the same identity.

====

This is not a well structured presentation, sorry. It's more the random thoughts that have been hopping around in my head for the last couple months between other more pressing concerns.

I love the encryption ideas.

Do you know if PGP public/private key pairs can be used for ephemeral keys? I'd hate to rely on the same secret to store everything throughout time.

PGP allows creation of subkeys. I'm not entirely clear that that's useful here, but it might be.
I haven't had my morning coffee, but I believe that lack of forward-secrecy is exactly the main drawback with PGP as a protocol; but it's been a while since I looked at it
>The discontinuation of using SSL certificates for verification of website identities and a move to true fingerprinting ala SSH.

You do realize that's trust-on-first-connect aka self signed certigicates, right? Especially with LE, thats worse in every way to the CA model.

>Logins on websites with a public / private keypair ala SSH.

Pretty much client certificates minus PKI.

SSH is only trust-on-first-connect if you choose to behave that way. Whenever you connect to a new machine, it prompts you "I don't recognize this machine, and its fingerprint is XXXX. Do you trust that?"

I don't see how the option to trust websites is worse than having a bunch of certificate authorities choose who I'll trust for me.

How would you possibly know which fingerprints to trust? Also, do you honestly think there is any hope for the average user to understand what that means and know what to trust and what not to trust? IMO, that is a massive step backwards in usability, which directly impacts the overall security of a given solution. If something is not usable, then people will figure out a way around it and security then goes out the window.

For example, if users were responsible for knowing which fingerprints to trust for a given website, they would most likely just click "ok, trust it" for everything. Then, you're overall security goes way down because now people are conditioned to click "accept" to everything, regardless of the impact.

Signed archives of trusted or untrusted fingerprints, distributed by various and independent authorities is one option.

Trust is, by definition, an extention of solidity or support. CA is a trust model, which has proved both brittle and unworkable.

http://www.etymonline.com/index.php?term=trust&allowed_in_fr...

Google and other services presently provide extended trust and validity assessments for websites: pinned certificates, malware scans, and the like. A limited number of such reliable schemes would scale reasonably well, and should prove useful.

I'm not saying "perfect", I'm saying "useful".

Interesting, that's a possibility.

I was thinking of something more akin to, say Google's pinned certificates (something which practices such as Let's Encrypt actually makes harder AFAICT):

https://security.stackexchange.com/questions/29988/what-is-c...

Or something that might be a parallel of email reputation services -- SenderBase / IronPort (now Cisco) rating email servers by their spam loads, etc.

Rather than negative reputation, a positive reputation (vouch rather than warn) might be viable. (Negative ratings systems, digital or otherwise, tend to inspire various legal assaults.)

As an individual user, you have no better information than your knowledge of the website and its claims on security, maybe its brand, and what your social circles claim about its security practices. A certificate authority at least has the potential to aggregate data and from there assess the security of a website. The original ideas behind certificate authorities are not dissimilar from insurance.
SSH-style login is still something I'd really fucking love. Much more secure way of logging in, easy protocol for storing multiple passwords, and easy authorization/deauthirzation of passwords/keys.
Client TLS certs already exist, and they are a massive pain for the average user.
I remember StartCom used client TLS certs, the only place where I ever saw them in use, and the browser workflow was certainly clunky. I'd hate to see a non-techie have to deal with it.
They worked quite smoothly for me. I actually liked StartCom's login process.
So I have heard of client TLS authentication, but does it exist for the web (I mean just in principle, not whether it is really used). That is, do browsers support it?

The thing is, if it is a massive pain for average users, then that is an own-goal. Look at SSH: there is no certification chain there. All you do is generate a keypair and then (here's the awkward bit) magic the pubkey over to the server.

It would be easy enough for a website to make pubkey installation a seamless part of the sign-on workflow.

Yes, browsers have supported client certificates for decades and continue to today.
It is a massive pain for average users but it's well supported by browsers is because big corporations have IT departments that provision (and admin) computers for their users, average or otherwise, and the provisioning process includes setting up client certs.

So while browsers do support client certs, there has been very little effort to make them easy to install due to a chicken-egg situation. They're hard to use, so no one uses them, but no one (random sites on the Internet, that is) uses them for client auth because they're hard to use.

A ban of everything JS except for these so-called web apps, which obviously need it. Make the internet great (performant/efficient/secure) again!
Really what browsers need are profiles. Maybe a research profile that just supports submitting search forms and renders everything in the same colors and the same fonts and the same margins, and an app profile which lets pages do all the ridiculous JS crap.
And websites supporting this. I recently came across some site providing a paper that wouldn't even load the raw text without JS.
Forgive me, but I just don't understand this sentiment at all. I understand your general frustration with over-engineered websites - but is it not your choice to visit that website? Do you not also have the ability to block javascript just like the scourge of flash websites before it? We aren't talking about vulnerabilities here though, youre just saying that there are websites out there that could do with less (or no) javascript but arent, so you want to "force" them to?

Let me ask it a different way - do you have any reasonable expectation that your proposal will ever be accepted? That browser manufacturers will implement things to limit or block the functionality of js? Where would the line be drawn (and who would draw it) between the so-called web apps and everything else that isn't worthy?

There already are some mechanisms in place to decentivize misbehaving websites such as the google rankings. But thats a far cry from a browser not supporting or displaying some warning when viewing one of those sites.

Maybe im missing something - that there are these required sites that are misbehaving and we need some regulatory power to rein them in.

  Maybe im missing something
You definitely are. Disable js and try browsing. Note the quadrupled battery life in your laptop.
I don't doubt improved battery life (although quadrupled seems like a stretch) - but I bet if you turned off images and video you'd have a similar improvement - but nobody is saying that pictures are ruining the web.

Again, arent you capable of choosing the websites you use? Are there websites you are required to spend extended amounts of time with that you want the browsers to step in and force them to use less javascript?

images decode once and usually in hardware. js runs in background, forever.
Let me guess, you write angular apps backed by node?
>Let me ask it a different way - do you have any reasonable expectation that your proposal will ever be accepted?

There are hundreds of pie in the sky suggestions being floated here, and the one about javascript is the one you choose to attack with this argument?

JavaScript has unequivocally made the web worse for everyone but advertisers and perhaps the people that run CDNs.

Why, of all the proposals here, are you trying to shit on this one on particular?

Honest question.

> JavaScript has unequivocally made the web worse for everyone but advertisers and perhaps the people that run CDNs.

Do you really think this is defensible? That the web would be as popular or useful as it is today without the ability to run code in the browser? I'm curious if you think there is a majority of people that agree with this?

> Why, of all the proposals here, are you trying to shit on this one on particular?

I am not shitting on anyone - im trying to have an honest discussion about why you and the OP feel that javascript is such a scourge that it needs to be regulated. Not one person has addressed even one of my questions, you included. I'm sorry you're taking my challenge as hostility - its not intended that way.

I submit that its possible I am missing something - perhaps there is situations out there that I don't have to deal with. I'm asking for an honest view point that I can try to understand.

> ... pie in the sky ...

Theres a difference between "here's something thats easily accepted is a good idea but might be difficult to implement" and this. I'm asking for an explanation of the premise itself.

Plenty of popular web applications work(ed) without JavaScript. I'm thinking here of thinks like Gmail.

The only thing that I can think of that absolutely requires JavaScript is advertising and tracking.

Anything else better serves the user as a desktop or native app.

Evergreen web browsers. Safari and IE11 continue to ruin my life.
Unfortunately this one is impossible even if every developer and browser vendor were all unanimously in favor. Edge-née-IE is evergreen now, but users have to upgrade Windows first, and that's not something that can be forced.
What do you mean by this?
"evergreen" means self-updating, with a rapid release cycle. Chrome, Edge, and Firefox follow this model. IE (essentially a legacy browser at this point) and Safari don't.
Thanks.

This works in some instances.

Not so much in others.

I would love package systems and server admins to recognize the inherit danger in allowing the servers to call out to the wild. All internet facing servers should be allowed to only call out to white listed addresses.
Do you mean blocking all IPs except for those whitelisted? Obtaining the right whitelist seems to be time consuming task. If you control your servers and trust their software, why would you cripple its operation?
A peer-to-peer hosting protocol which publishes user data outside of site silos while still "feeling" like a web app. Bonus feature: end to end encryption.
Dear overlord, stop this shit. Don't force any web user over your agenda BS.

Amazon.com worked fine from 1995 to 2016 with HTTP (only the login page was HTTPS).

If you have a crappy ISP like Verizon or whatever, it's your own personal problem - 99% of the web user don't care about your problem. Maybe use a VPN to somewhere to an ISP you can trust.

I stopped using Firefox because they turned mad. Chromium with some custom patches seems like a far better solution nowadays. Yet I see Google is too trying to destroy the open web with their PWA/AMP monoculture that is favored and listed on top of search results.

We need the EFF and other "good" foundations to lobby for the end user - too many shady and corporate entities lobby against the end user, unfortunately.

I work for EFF and we have actively lobbied for sites, including Amazon, to adopt HTTPS by default for years. Even if you have some way to verify and be confident in your ISP's privacy practices, your data is going to pass through a lot of different ISPs' facilities, and you're not going to have any control of that.
A truly obfuscatory browser: one in which everything sent to the server looked the same, regardless of which user, region, etc.
curl -H "" -o stuff.html && elinks stuff.html

I've been looking for a site I can run this on over TOR at random times for reading news but I haven't found one.

Can elinks read from stdin?
links2 can, and both of them have --dump.

The nice thing about doing it like this is that the file persists on disk so viewing a page is decoupled from fetching it (which is nice for a lot of reasons.)

With addons which disable user agents, referrers, and other details, and by disabling Javascript, you can nearly achieve this with Firefox and Chrome. I've noticed that some website refuse to serve content without a user agent.
a distributed built-in password manager (a password-less web)
- Make client-side certificate authentication mainstream. Fix the UI, UX

- Standardize on some sort of biometric identification that actually works. I HATE two-factor :(

1. Client-side certificates usage has privacy implications - https://github.com/tumi8/cca-privacy

2. Is biometric really necessary? U2F tokens already exist and are standardized (maybe not officially, I'm not sure). Chrome and Opera already support it, Mozilla's support must be coming soon (meanwhile you can use an add-on).

I am sick of the actual motions of authenticating, and many of the 2-factor implementations out there today are terrible. (SMS, really? What happens when your phone is stolen? How do you protect against an angry lover? What a joke)

U2F dongles aren't much better.

Also, a quick glance at that link seems to indicate attacker needs some sort of MITM access? Is it anything more than a replay attack?

Working version without javascript (unless it's crucial for the website). No opacity 0 animations, javascript only menus etc.
This should get more votes. It should be an internet requirement that a website has to be functional and readable without Js.

I don't know how this could be implemented though

Pay turn off ads. A certain percentage of visitors are asked to rate the content (to avoid paying) the rest of the visitors are automatically billed and pay the average rating.

Each user can specify a maximum payment and can opt to view with ads if payment requested is too much.

"grandmother" usable email encryption for the masses.
Destroy fake news (no pun intended).