W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2014

Re: Proposal: Prefer secure origins for powerful new web platform features

From: Eduardo' Vela\ <evn@google.com>
Date: Thu, 21 Aug 2014 14:09:16 -0700
Message-ID: <CAFswPa9mWXybmScE2Jmsie0Ec8EQRS39e8FKxtcfP4ZQGZn0_Q@mail.gmail.com>
To: Chris Palmer <palmer@google.com>
Cc: Mark Watson <watsonm@netflix.com>, Jim Manico <jim.manico@owasp.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Aug 21, 2014 at 1:59 PM, Chris Palmer <palmer@google.com> wrote:

> On Wed, Aug 20, 2014 at 10:30 AM, Eduardo' Vela" <Nava> <evn@google.com>
> wrote:
>
> > I don't having SSL-only features is good. To get an SSL certificate you
> need
> > to pay.. we are essentially forcing developers to pay money to some
> dubious
> > organization (every year!) just so that they can use some web features.
> Note
> > this isn't the case for DNS nor even an IP (since you can do it in a
> > university, for example without paying anyone, or in an intranet, or at
> > home, etc). It's not really a great idea.
>
> As I have said before, in another forum:
>
> """Unfortunately, secure introduction for peers in a
> globally-distributed system remains a hard problem, and so we have to
> make do with a little duct tape (trusted third parties, in this case).
> We are trying as hard as we can to reduce the amount of trust placed
> in the third parties, while also finding ways to bolster their
> trustworthiness. (See e.g. Certificate Transparency.) But, yes, they
> do perform some work, and $15 is the marginal amount they need to
> continue operating."""
>
> I think you'll be hard-pressed to find a modern platform for which
> developers have great power but no responsibility. The costs of
> code-signing have raced to the bottom.
>
> > It might also be worth noting that for some use-cases and setups, SSL
> > doesn't add any security benefits. I see there is "localhost" and 127/8
> to
> > try and address this concern, but this will never be a complete list, and
> > will just break sites for users, annoy developers, and introduce
> dangerous
> > practices.
>
> Can you explain more? What are some realistic public deployment
> scenarios in which TLS is utterly useless?
>

Any setup where the network is outside of your threat model.

Think of the way Chromecast is configured, it's an HTTP server listening on
a wifi network. You can't distribute a SSL certificate to the device
(there's no internet access yet), and we will hold some web platform
hostage from them for no good reason.

Not all web applications are connected to the internet. Same for VPN
services where you can authenticate at a network level.
Received on Thursday, 21 August 2014 21:10:03 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC