W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Wed, 13 Nov 2013 21:57:46 +0000
Message-ID: <5283F5DA.50606@cs.tcd.ie>
To: Willy Tarreau <w@1wt.eu>, Mike Belshe <mike@belshe.com>
CC: "William Chan (?????????)" <willchan@chromium.org>, Tao Effect <contact@taoeffect.com>, Tim Bray <tbray@textuality.com>, James M Snell <jasnell@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>

I have to agree that the logic here is hard to find.

On 11/13/2013 09:54 PM, Willy Tarreau wrote:
> On Wed, Nov 13, 2013 at 01:23:41PM -0800, Mike Belshe wrote:
>> To paraphrase, you're saying:
>>    "I don't like TLS because I use the presence of TLS to know that I could
>> be hacked right now.   But if you turn on TLS always, I won't be able to
>> tell if I can get hacked."
> 
> Huh ? No. I mean "The TLS model is fine for me as long as it's used where
> needed and if it's not abused because I expect all actors in the chain to
> care about security". Let's ensure we don't break that weak link from the
> root CAs to me by making its use mandatory for all no-value stuff that
> nobody cares about and which will make it normal for everyone to deploy
> broken configs and rogue CAs everywhere for the sake of simplicity.

Break the link by making it mandatory sounds like wild supposition.

S

> 
>> To summarize:
>>   1) You're happy with the security you get with TLS to Paypal now
>>   2) You're unhappy with that same security (TLS) enforced everywhere
>> because it is suddenly less secure.
> 
> Exactly.
> 
>> This is also illogical.  We're not changing TLS.
> 
> Yes you are. You're not changing the protocol but the economics and
> the actors' motives to deliver certs the proper way. When certs are
> needed to connect to my printer, I doubt I'll have to order a new
> cert every year to connect to it once every 3 years at most to change
> its IP address. Instead the manufacturer will want a 10 years cert,
> and since he won't be able to get that, some CAs will start to offer
> this (possibly at a high price). We'll possibly find it much easier
> and cheaper to become a valid CA and to issue certs for anyone. I'm
> sorry but the day I can issue a paypal cert myself and have my browser
> accept it without me having to do anything with its configuration, I'll
> start to get a little bit scared.
> 
> Right now it's simple : TLS is annoying to deploy so you do it where
> it matters. It can be free but at least it requires some care and you
> are willing to accept that for the sites you value. Once you don't
> value anymore the certs you are installing and users start to do wrong
> things such as clicking 100 times a day "Ignore this cert error" because
> everyone uses crappy certs, the TLS model will be useless.
> 
> Willy
> 
> 
> 
> 
Received on Wednesday, 13 November 2013 21:58:12 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC