W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re[2]: The TLS hammer and resource integrity

From: Adrien W. de Croy <adrien@qbik.com>
Date: Wed, 28 Mar 2012 23:37:24 +0000
To: "patrick mcmanus" <pmcmanus@mozilla.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <em88120d40-c88b-4827-aa93-83871d4baf77@BOMBED>
  
I think wherever a user-initiated activity is involved, the issue of 
privacy will be subjective.  So for whatever example is given, be it 
p0rn, ads whatever there is no universal right or wrong answer.
  
But there are several areas where it's just technical.
  
For instance, OCSP and CRL is delivered over HTTP.  This can't use 
SSL/TLS, else it creates a paradox - how do you validate the cert used 
to validate the cert (ad infinitum)?
  
Another topical issue relates to infrastructure providers and security 
concerns about eavesdropping.  Your network infrastructure starts 
phoning home using TLS and you'll have some nervous admins.  Some 
communication needs to be demonstrably open and transparent.
  
On the topic of OCSP, there's an existing issue relating to 
concentration of risk.  If you can break cert validation on millions of 
sites just by DDoSing a couple OCSP servers, then that will become a 
bigger problem as TLS gets rolled out.
  
The requirements to be able to issue certificates will need to be 
strengthened to enforce bullet-proof validation infrastructure.  We 
already have issues with access to OCSP servers for validation.
  
Adrien
  
  

------ Original Message ------
From: "patrick mcmanus" <pmcmanus@mozilla.com>
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Sent: 29/03/2012 10:59:06 a.m.
Subject: Re: The TLS hammer and resource integrity
>On 3/28/2012 11:42 PM, Willy Tarreau wrote: 
>>
>>Not necessarily but similarly we don't necessarily want to decide for 
>>the users that they need privacy where that really does not make 
>>sense 
>>for them. If you have a widget on your TV displaying a beautiful 
>>clock 
>>which looks nice in your living room, you don't care a dime that the 
>>time of day is retrieved over HTTP and that someone else can see the 
>>time you're seeing. 
>
>You might care that someone else knows that you are seeing it (and are 
>therefore present and watching your tv). Domestic violence prevention 
>advocates care about this stuff a lot - TLS makes it better without 
>completely fixing it. (i.e. you can see that there is some activity 
>but you might not be able to distinguish from other less identifying 
>automatic activity, or cannot associate it with a cookie that would 
>tell you who was using what appliance, etc..) 
>
>the content provider is in no position to make this decision about the 
>user's privacy and is certainly not incented to care. I want to build 
>a web that at least mitigates passive sniffing attacks - we can do 
>that now. The state of things when we make security optional is just 
>embarrassing. 
>
>
>
>
Received on Wednesday, 28 March 2012 23:37:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:57 GMT