W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Semantics of HTTPS

From: Willy Tarreau <w@1wt.eu>
Date: Thu, 13 Sep 2012 13:50:49 +0200
To: Mark Nottingham <mnot@mnot.net>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Eric Rescorla <ekr@rtfm.com>, "Adrien W. de Croy" <adrien@qbik.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <20120913115049.GC4074@1wt.eu>
On Thu, Sep 13, 2012 at 08:59:06PM +1000, Mark Nottingham wrote:
> We're getting off track here -- this issue is about the semantics of the
> HTTPS scheme, in the context of HTTPbis, not potential future work.

OK but it was a proposal to address some people's concern that "https"
means "end-to-end" to people while currently at more and more places
this is not true anymore.

So the idea was to address this specific concern (which is a UI concern
in my opinion) by proposing a different scheme in the browser.

It looks like it's not a good idea in the end considering some of the
points that were made.

Going back to https, PHK is right that ends should be clearly defined,
at least to the user. In my opinion, https could be end-to-end where
one end is the local proxy. All we're dealing with is a matter of trust,
which is not a technical thing to debate on but a user choice.

If my browser tells me "You asked me to securely connect to this site,
but the proxy refuses. I can only securely connect to the proxy which
will securely connect to the site, and will be able to see and modify
all your exchanges on your behalf. Are you sure you still want to connect?"
then I know what I'm going to decide based on which site I want to visit.

The technical point is if we permit the secure end to start at the proxy,
then we need to ensure that what is announced to the user is what is
going to be performed.

Regards,
Willy
Received on Thursday, 13 September 2012 11:51:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 13 September 2012 11:51:37 GMT