W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2014

Re: Proposal: Prefer secure origins for powerful new web platform features

From: John Kemp <john@jkemp.net>
Date: Fri, 22 Aug 2014 06:41:49 -0400
Message-ID: <53F71E6D.8070305@jkemp.net>
To: public-webappsec@w3.org
On 08/22/2014 01:13 AM, Ian Melven wrote:
>
> I'm not seeing any arguments against requiring secure origins for
> certain functionality beyond the same old arguments against using SSL :

I can think of at least one more:

>
> * it costs some almost negligible amount of money
> * it requires some non-zero amount of work on the part of the website
> operator
>
> am i missing something ?

SSL doesn't solve a problem that many people think it does (that of 
authentication of the server). Thus, MITM is still possible (probable) 
in many deployments (Wifi hotspot portal in coffee shop, say, or proxy 
browsers).

Regards,

- johnk

>
> cheers,
> ian
>
>
> On Thu, Aug 21, 2014 at 7:04 PM, Jim Manico <jim.manico@owasp.org
> <mailto:jim.manico@owasp.org>> wrote:
>
>      > I do not get why Geolocation [...] need to be SSL only.
>
>     Make it SSL by default and allow the developer to go through a few
>     hoops to turn it off. Then ensure browsers provide warnings to users
>     when geoLoc data is sent over HTTP...
>
>     This seems to be a good balance between privacy (browser warnings),
>     developer needs (HTTP support), and security (default to SSL).
>
>     --
>     Jim Manico
>     @Manicode
>     (808) 652-3805
>
>      > On Aug 21, 2014, at 6:21 PM, Adam Langley <agl@google.com
>     <mailto:agl@google.com>> wrote:
>      >
>      >> On Thu, Aug 21, 2014 at 3:29 PM, Eduardo' Vela" <Nava>
>     <evn@google.com <mailto:evn@google.com>> wrote:
>      >> I do not get why Geolocation [...] need to be SSL only.
>      >
>      > Let's just take this one for a moment. We're giving the web
>     platform a
>      > fairly significant power here and it's pretty reasonable to want to
>      > take the sharp edge off it.
>      >
>      > When we ask the user whether they want to share their location with
>      > example.com <http://example.com>, it's not reasonable to turn
>     around later and say "oh,
>      > didn't you notice the lack of https? It's thus completely your fault
>      > that you inadvertently shared your location with example.com
>     <http://example.com> and also
>      > your ISP, government, etc.". We don't want to build a world where
>     that
>      > sort of information is commonly sent in the clear
>      >
>      > But the aim is not to make experimentation hard either. It really
>      > shouldn't be, it's just that setting up a local CA and the DNS for
>      > experimentation is harder than it should be. If loopback adaptors
>      > weren't configured by default then HTTP would be a pain to experiment
>      > with also. If I had lots of free time, I'd submit patches to distros
>      > to make it easier. But that's a much better direction than a clear
>      > text world.
>      >
>      >
>      > Cheers
>      >
>      > AGL
>
>
>
Received on Friday, 22 August 2014 10:42:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC