W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Some reasons why mandating use ofSSL for HTTP is a really bad idea

From: Zhong Yu <zhong.j.yu@gmail.com>
Date: Wed, 18 Jul 2012 12:01:23 -0500
Message-ID: <CACuKZqFHc9z_kD+KSY88s5JORWPvBQ7mmzy3+2FdAJ6F_aQNrQ@mail.gmail.com>
To: "Adrien W. de Croy" <adrien@qbik.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Tue, Jul 17, 2012 at 10:25 PM, Adrien W. de Croy <adrien@qbik.com> wrote:
> What about the other hundreds of millions of us running web servers.  You
> gonna buy us our certs?

Agreed. It's absolutely impractical to mandate officially signed certs
on every website. That's a huge hurdle for small sites; and all big
sites started from small sites.

---

Here's a related story that's very interesting. Self signed certs are
used by the official ticket booking site of Ministry of Railways of
China. Apparently they want to save a few bucks.

Customers are asked to download and install an untrusted root cert
from its website. From average user's point of view, that makes sense
- if you do more work, that got to increase security, right? Almost
everybody in China take trains, this root cert must have been
installed widely.

http://www.12306.cn
"To ensure a smooth booking experience, please download and install
the root certificate"

http://www.12306.cn/mormhweb/kyfw/question/201204/t20120427_2115.html
FAQ > Security Alert
When a user tries to log in, often he/she will see IE security
warnings ... That's because the user has not imported the root
certificate shown on the home page ... To navigate the site smoothly,
simply follow the instructions and import the root certificate.

the root cert and instructions:
http://www.12306.cn/mormhweb/ggxxfw/wbyyzj/201106/srca12306.zip

a cert signed by the root cert
https://dynamic.12306.cn
Received on Wednesday, 18 July 2012 17:01:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 18 July 2012 17:02:01 GMT