W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: HTTP without being HTTPS all the time

From: Werner Baumann <werner.baumann@onlinehome.de>
Date: Fri, 20 Jul 2012 09:36:39 +0200
To: ietf-http-wg@w3.org
Message-ID: <20120720093639.32c6184c@ginster.fritz.box>
Am Thu, 19 Jul 2012 20:01:35 +0000
schrieb "Poul-Henning Kamp" <phk@phk.freebsd.dk>:

> In message <20120719184924.GM16208@1wt.eu>, Willy Tarreau writes:
> 
> >As usual, Adam gave a nice description there, and I'm sure many of
> >us are aware of the issues he describes. I'm among those who
> >consider that having only some pages of a site secured is dangerous.
> >Either the site is clear or it's not.
> 
> What about sites that are HTTP until you log in, then switch to
> HTTPS ?
> 
> That's a perfectly fair & sensible way to avoid spending resources
> on non-paying visitors.
> 

Looking at Adam's example: the problem is not mixing of HTTP and HTTPS.
The error happens when the user follows a non-trustworthy link and then
believes it to be secure because its HTTPS. These dangerous links are
not restricted to HTTP-sites they may be in HTTPS-sites as well (and
other places).

There is only one way to defend against this: the *user* must verify,
and be able to verify, that the HTTPS-url is the one she wants. The
first step in user security is always the informed decision by the
user. No way around. Technical means can only assist (and should
assist and not confuse).

The current state of helping the user to make informed decisions is
very bad. The infamous dialog on unverifyable certificates is just one
example. Telling users they are secure because it is HTTPS or all-HTTPS
wil make things worse.

Regarding banking: my bank advices me to type the HTTPS-url of the
login page by hand. I think this is good advice. But they are not
consequent and offer a link on their HTTP-site as well.

Werner
Received on Friday, 20 July 2012 07:37:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 20 July 2012 07:37:26 GMT