W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Eduardo Robles Elvira <edulix@agoravoting.com>
Date: Sat, 13 Dec 2014 02:17:40 +0100
Message-ID: <CAHwZu3dHZmsauXRwPf6cxv1ag1-40bG6jaD+zqnJ6_c7eAeG0Q@mail.gmail.com>
To: Chris Palmer <palmer@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
Hello Chris et al:

I'm a web developer. I did some vendor security-related development
sometime ago inside Konqueror. Some first thoughts:

* In principle, the proposal makes sense to me. Who doesn't want a more
secure web? Kudos for making it possible with ambitious proposals like this.

* The biggest problem I see is that to get an accepted certificate
traditionally you needed to pay. This was a show-stopper for having TLS
certs in small websites. Mozilla, EFF, Cisco, Akamai are trying to fix that
[1] and that StartSSL gives free certificates though. Just stating the
obvious: you either get easy and free "secure" certificates, or this
proposal is going to make some webmasters angry.


Regards,
--
[1]
https://www.eff.org/deeplinks/2014/11/certificate-authority-encrypt-entire-web
--
Eduardo Robles Elvira     @edulix             skype: edulix2
http://agoravoting.org       @agoravoting     +34 634 571 634

On Sat, Dec 13, 2014 at 1:46 AM, Chris Palmer <palmer@google.com> wrote:
>
> Hi everyone,
>
> Apologies to those of you who are about to get this more than once, due to
> the cross-posting. I'd like to get feedback from a wide variety of people:
> UA developers, web developers, and users. The canonical location for this
> proposal is:
> https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
> .
>
> Proposal
>
> We, the Chrome Security Team, propose that user agents (UAs) gradually
> change their UX to display non-secure origins as affirmatively non-secure.
> We intend to devise and begin deploying a transition plan for Chrome in
> 2015.
>
> The goal of this proposal is to more clearly display to users that HTTP
> provides no data security.
>
> Request
>
> We’d like to hear everyone’s thoughts on this proposal, and to discuss
> with the web community about how different transition plans might serve
> users.
>
> Background
>
> We all need data communication on the web to be secure (private,
> authenticated, untampered). When there is no data security, the UA should
> explicitly display that, so users can make informed decisions about how to
> interact with an origin.
>
> Roughly speaking, there are three basic transport layer security states
> for web origins:
>
>
>    -
>
>    Secure (valid HTTPS, other origins like (*, localhost, *));
>    -
>
>    Dubious (valid HTTPS but with mixed passive resources, valid HTTPS
>    with minor TLS errors); and
>    -
>
>    Non-secure (broken HTTPS, HTTP).
>
>
> For more precise definitions of secure and non-secure, see Requirements
> for Powerful Features <http://www.w3.org/TR/powerful-features/> and Mixed
> Content <http://www.w3.org/TR/mixed-content/>.
>
> We know that active tampering and surveillance attacks, as well as passive
> surveillance attacks, are not theoretical but are in fact commonplace on
> the web.
>
> RFC 7258: Pervasive Monitoring Is an Attack
> <https://tools.ietf.org/html/rfc7258>
>
> NSA uses Google cookies to pinpoint targets for hacking
> <http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/10/nsa-uses-google-cookies-to-pinpoint-targets-for-hacking/>
>
> Verizon’s ‘Perma-Cookie’ Is a Privacy-Killing Machine
> <http://www.wired.com/2014/10/verizons-perma-cookie/>
>
> How bad is it to replace adSense code id to ISP's adSense ID on free
> Internet?
> <http://stackoverflow.com/questions/25438910/how-bad-is-it-to-replace-adsense-code-id-to-isps-adsense-id-on-free-internet>
>
> Comcast Wi-Fi serving self-promotional ads via JavaScript injection
> <http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/>
>
> Erosion of the moral authority of transparent middleboxes
> <https://tools.ietf.org/html/draft-hildebrand-middlebox-erosion-01>
>
> Transitioning The Web To HTTPS <https://w3ctag.github.io/web-https/>
>
> We know that people do not generally perceive the absence of a warning
> sign. (See e.g. The Emperor's New Security Indicators
> <http://commerce.net/wp-content/uploads/2012/04/The%20Emperors_New_Security_Indicators.pdf>.)
> Yet the only situation in which web browsers are guaranteed not to warn
> users is precisely when there is no chance of security: when the origin is
> transported via HTTP. Here are screenshots of the status quo for non-secure
> domains in Chrome, Safari, Firefox, and Internet Explorer:
>
> [image: Screen Shot 2014-12-11 at 5.08.48 PM.png]
>
> [image: Screen Shot 2014-12-11 at 5.09.55 PM.png]
>
> [image: Screen Shot 2014-12-11 at 5.11.04 PM.png]
>
> [image: ie-non-secure.png]
>
> Particulars
>
> UA vendors who agree with this proposal should decide how best to phase in
> the UX changes given the needs of their users and their product design
> constraints. Generally, we suggest a phased approach to marking non-secure
> origins as non-secure. For example, a UA vendor might decide that in the
> medium term, they will represent non-secure origins in the same way that
> they represent Dubious origins. Then, in the long term, the vendor might
> decide to represent non-secure origins in the same way that they represent
> Bad origins.
>
> Ultimately, we can even imagine a long term in which secure origins are so
> widely deployed that we can leave them unmarked (as HTTP is today), and
> mark only the rare non-secure origins.
>
> There are several ways vendors might decide to transition from one phase
> to the next. For example, the transition plan could be time-based:
>
>
>    1.
>
>    T0 (now): Non-secure origins unmarked
>    2.
>
>    T1: Non-secure origins marked as Dubious
>    3.
>
>    T2: Non-secure origins marked as Non-secure
>    4.
>
>    T3: Secure origins unmarked
>
>
> Or, vendors might set thresholds based on telemetry that measures the
> ratios of user interaction with secure origins vs. non-secure. Consider
> this strawman proposal:
>
>
>    1.
>
>    Secure > 65%: Non-secure origins marked as Dubious
>    2.
>
>    Secure > 75%: Non-secure origins marked as Non-secure
>    3.
>
>    Secure > 85%: Secure origins unmarked
>
>
> The particular thresholds or transition dates are very much up for
> discussion. Additionally, how to define “ratios of user interaction” is
> also up for discussion; ideas include the ratio of secure to non-secure
> page loads, the ratio of secure to non-secure resource loads, or the ratio
> of total time spent interacting with secure vs. non-secure origins.
>
> We’d love to hear what UA vendors, web developers, and users think. Thanks
> for reading!
>
Received on Saturday, 13 December 2014 01:18:38 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC