W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Willy Tarreau <w@1wt.eu>
Date: Thu, 14 Nov 2013 21:16:39 +0100
To: Nicholas Hurley <hurley@todesschaf.org>
Cc: Julian Reschke <julian.reschke@gmx.de>, Zhong Yu <zhong.j.yu@gmail.com>, Mike Belshe <mike@belshe.com>, "William Chan (?????????)" <willchan@chromium.org>, James M Snell <jasnell@gmail.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Michael Sweet <msweet@apple.com>, Nicolas Mailhot <nicolas.mailhot@laposte.net>, Tao Effect <contact@taoeffect.com>, Tim Bray <tbray@textuality.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20131114201639.GH7262@1wt.eu>
On Thu, Nov 14, 2013 at 11:22:17AM -0800, Nicholas Hurley wrote:
> On Thu, Nov 14, 2013 at 10:52 AM, Julian Reschke <julian.reschke@gmx.de>wrote:
> 
> > So how does my home router get a certificate? In particular, if I need to
> > configure it first to connect to the internet?
> >
> > Best regards, Julian
> >
> 
> Off the top of my head, here's a couple ways (by no means an exhaustive
> list, and by no means are these guaranteed to be the best options):
> 
> 1. Comes with one from the vendor. The program CD (or USB stick or
> whatever) used to do configuration can be specially configured to know
> about the otherwise invalid cert being used.
> 2. First-time setup happens over an unencrypted HTTP/1.1 channel (which is
> probably ok, as chances are you're going to be plugged directly into the
> router at this point, and as you said - you're likely not connected to the
> internet) which then generates a cert and has you install it in your
> browser, allowing you to use the secure channel in the future.

This cert will have to be self-signed or signed by another one already in the
device. And in order to avoid the browser's error you'll have to install this
signing cert into your browser. Then anyone stealing this cert (assuming it
was generated, if it's shipped it's worse) can sign rogue certs for whatever
domains that will happily be accepted by your browser. You also have the
issue of validity date which generally is not right for such devices.

> All that said, I'm not a UX designer or anything like that, so I'm sure
> there would be some rough edges around these workflows, but I'm confident
> that we (and UX designers) are smart enough to solve those kinds of issues.

Yes, just like some other users are smart enough to abuse what smart people
design, this is a never ending loop.

Willy
Received on Thursday, 14 November 2013 20:17:24 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC