W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Marking HTTP As Non-Secure

From: Eduardo' Vela\ <evn@google.com>
Date: Thu, 18 Dec 2014 16:37:31 +0100
Message-ID: <CAFswPa_teT4UFcm-QRjCg=qqXAODC_1Z2Wg-b2w5KvnU4hHZaw@mail.gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Patrick Kolodziejczyk <patrick.kolodziejczyk@viseo.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Dec 18, 2014 at 4:29 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
wrote:
>
> Hi Patrick--
>
> Thanks for reading the proposal and giving feedback.
>
> On 12/17/2014 05:42 AM, Patrick Kolodziejczyk wrote:
>
> >  I don't like the idea of saying HTTP is not secure, by default.
>
> I don't think any of the arguments you've presented are good reasons to
> continue displaying http without a non-secure indicator.
>
> > It's like hidding for read a new paper. Yes, if it's a problem to do it,
> it's better that we make it private stuff. But IF we think it's not a
> problem and shouldn't be, then we have to make sur it's stay "safe and
> public".
>
> All the information in the newspaper can be public, but you might still
> not want everyone to know which articles in the newspaper you are
> interested in reading.
>
> Among other things, HTTPS provides some confidentiality to *the act of
> reading*, but does not restrict web sites from publishing public data.
>

HTTPS most likely doesn't hide which news articles you are reading. Traffic
analysis against a site like a public news site is very likely to provide a
near-perfect prediction.

> Plus, the fact that source of information start to adjust there discours
> in function of there reader.
>
> This is possible under cleartext HTTP too, as well.  Not only that, but
> other parties can also adjust the information as a function of the reader:
>
>
> http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/
>  http://www.wired.com/2014/10/verizons-perma-cookie/
>
> (these links were in the article you linked)
>
> > Making it private, make sur that no one will ever verify that.
>
> No one is verifying that they received the same data as others have
> received right now with cleartext HTTP or with HTTPS.  But even if they
> were, marking HTTP as non-secure wouldn't prevent anyone from doing so.
>
> Regards,
>
>         --dkg
>
>
Received on Thursday, 18 December 2014 15:38:19 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC