Re: Fwd (TAG): Draft finding - "Transitioning the Web to HTTPS" from Nick Doty on 2014-12-19 (public-privacy@w3.org from October to December 2014)

From: Nick Doty <npdoty@w3.org>
Date: Fri, 19 Dec 2014 15:04:31 -0800
To: Domenic Denicola <d@domenic.me>
Cc: "Eric J. Bowman" <eric@bisonsystems.net>, David Singer <singer@apple.com>, TAG List <www-tag@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-Id: <3600A076-35D5-43BC-B0A9-FB8DF6EA6485@w3.org>

On Dec 19, 2014, at 2:45 PM, Domenic Denicola <d@domenic.me> wrote:
> 
> From: Nicholas Doty [mailto:npdoty@berkeley.edu]
> 
>> It does seem like it would be useful for the TAG finding to explicitly address this point.
> 
> Given the persistent confusion by various parties around this point, I am beginning to agree. There were three posts earlier today on blink-dev which may be useful to draw upon:
> 
> https://groups.google.com/a/chromium.org/d/msg/blink-dev/DHQLv76QaEM/TdhGW9qi9UAJ
> https://groups.google.com/a/chromium.org/d/msg/blink-dev/DHQLv76QaEM/do5rrsTsk5AJ
> https://groups.google.com/a/chromium.org/d/msg/blink-dev/DHQLv76QaEM/oQgaGo8jqsoJ
> 
> Filed as https://github.com/w3ctag/web-https/issues/9 <https://github.com/w3ctag/web-https/issues/9>

Thanks for tracking these, Domenic. I think the Chromium list about the myth of “the only security guarantee TLS provides is confidentiality” is particularly useful and I’ll certainly point people to it.

https://sites.google.com/a/chromium.org/dev/Home/chromium-security/education/tls?pli=1#TOC-The-only-security-guarantee-TLS-provides-is-confidentiality <https://sites.google.com/a/chromium.org/dev/Home/chromium-security/education/tls?pli=1#TOC-The-only-security-guarantee-TLS-provides-is-confidentiality>

I think authentication and integrity are likely to be the more attractive properties to many site owners than confidentiality (or at least to ones that don’t share concerns about confidentiality with their users).

You might add the integrity guarantee about execution of tampered-with JavaScript to that list. Even if my site doesn’t ask for geolocation or access to other device APIs, an attacker could introduce those function calls into the JavaScript on my HTTP page and my visitors might mistakenly provide access to the attacker by trusting my site. (This of course might be influenced by implementation decisions regarding device APIs and other powerful features, but it’s a real advantage to my visitors in the meantime.)

Nick

Received on Friday, 19 December 2014 23:04:48 UTC