W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Some reasons why mandating use ofSSL for HTTP is a really bad idea

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 18 Jul 2012 18:26:24 +0200
Cc: Mike Belshe <mike@belshe.com>, grahame@healthintersections.com.au, "Adrien W. de Croy" <adrien@qbik.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <0FB83020-D95B-4FFD-B51B-2620FAF528A6@bblfish.net>
To: Zhong Yu <zhong.j.yu@gmail.com>

On 18 Jul 2012, at 18:21, Zhong Yu wrote:

> That's nice, but I don't think content tempering is a major concern in
> this discussion.

It is extremely important to the security of the whole web. Currently
most sites serving web pages over plain HTTP can be man in the middle
attacked. So you read a blog post of a good friend of yours who is talking
about some web site, and a man in the middle changes a key link to go
to a site that resembles very much the site of the shop he spoke about but
is in fact a pirate shop.

Even if all web sites were to move to null cypher suites, the value in 
security to the whole web would be gigantic I believe.

Henry

> 
> On Wed, Jul 18, 2012 at 11:09 AM, Henry Story <henry.story@bblfish.net> wrote:
>> 
>> On 18 Jul 2012, at 18:03, Zhong Yu wrote:
>> 
>>> If TLS is mandated, yet NULL cipher is acceptable, what was the point
>>> of mandating TLS in the first place?
>> 
>> You get the security that the information was not corrupted along the way.
>> The User experience really needs to make that visible, but that's not a problem
>> with TLS.
>> 
>> 
>>> 
>>> On Tue, Jul 17, 2012 at 11:24 PM, Mike Belshe <mike@belshe.com> wrote:
>>>> 
>>>> 
>>>> On Tue, Jul 17, 2012 at 9:20 PM, Grahame Grieve <grahame@kestral.com.au>
>>>> wrote:
>>>>> 
>>>> Naw - this is not a big deal.  For instance, a server can send a NULL cipher
>>>> to the client.  In normal modes, browsers will reject the NULL cipher and
>>>> not negotiate it.  however, you can use command line flags to allow it.
>>>> 
>>>> We do this all the time.  Another example is for turning on
>>>> same-origin-policy.  Browsers often have debugging modes for turning it off.
>>>> You have to run the browser in a special, techie, opt-in way to do it, but
>>>> it is there.
>>>> 
>>>> I used these all the time when developing in Chrome.
>>>> 
>>>> Mike
>>>> 
>>>> 
>>>>> 
>>>>> 
>>>>> Grahame
>>>> 
>>>> 
>>> 
>> 
>> Social Web Architect
>> http://bblfish.net/
>> 

Social Web Architect
http://bblfish.net/
Received on Wednesday, 18 July 2012 16:26:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 18 July 2012 16:27:05 GMT