W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: SSL/TLS everywhere fail

From: Mark Nottingham <mnot@mnot.net>
Date: Sat, 5 Dec 2015 11:39:29 +1100
Cc: Cory Benfield <cory@lukasa.co.uk>, Adrien de Croy <adrien@qbik.com>, Jacob Appelbaum <jacob@appelbaum.net>, Mike Belshe <mike@belshe.com>, Amos Jeffries <squid3@treenet.co.nz>, httpbis mailing list <ietf-http-wg@w3.org>
Message-Id: <BE05C37D-61A7-43DC-9A7A-E7E1A6B2C5EB@mnot.net>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>

Responding as an individual --

On 5 Dec 2015, at 11:10 am, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:

> My point is that TLS anywhere made this *possible* for them.
> MiTM of TLS is a COTS product.
> If instead of rushing head-first into "TLS everywhere!!!!!" reactive
> posture without a minimum of strategic planning, people had spent
> a moment thinking forward, they would have realized that TLS
> everywhere makes it *easier* to disable privacy in total, because
> the entire infrastructure and *market* is already in place[1].

MiTM was a COTS product long before people started agitating for "TLS everywhere." It may have enlarged that market, but the technology was already there, and already a viable business for several vendors.

> The correct response would have been to roll out more or less
> *exactly* what the encryption draft contains, along with a wide
> number of diverse key-management schedules.

I'd encourage you to talk to some browser security teams to understand why that is not at all a viable replacement for TLS. The W3C's Web Application Security Working Group is a good place to start.

>> As I understand it, your objection is not with *this working group*,
> My objection is with naïve nerds who think that quick technical
> hacks can solve heavy-duty political problems.
> This WG has a solid majority from that camp, even if they never
> wrote this one particular stupid decision into a RFC, but only
> implemented it in their software.

I think you're creating a straw-man here. No one has said that TLS everywhere is the only solution, or even a sufficient one. 

Indeed, much of the impetus for that effort is from other sources. Attacks like FireSheep and the Google Streetview drive-by illustrate how easy it is to gather data, and in modern life, much of our personal data is online. Add to that the increasing power of the Web platform (e.g., with geolocation, camera access, local data access, etc.), and HTTPS becomes necessary if only just for integrity and authentication. 

We wrote about this in the W3C TAG's "Securing the Web" finding: <http://www.w3.org/2001/tag/doc/web-https>


Mark Nottingham   https://www.mnot.net/
Received on Saturday, 5 December 2015 00:40:05 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC