W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Marking HTTP As Non-Secure

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Thu, 18 Dec 2014 11:10:21 -0500
Message-ID: <5492FC6D.7040200@fifthhorseman.net>
To: "Eduardo' Vela\" <Nava>" <evn@google.com>
CC: Patrick Kolodziejczyk <patrick.kolodziejczyk@viseo.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 12/18/2014 10:37 AM, Eduardo' Vela" <Nava> wrote:
> [dkg wrote:]
>> > Among other things, HTTPS provides some confidentiality to *the act of
>> > reading*, but does not restrict web sites from publishing public data.
>
> HTTPS most likely doesn't hide which news articles you are reading. Traffic
> analysis against a site like a public news site is very likely to provide a
> near-perfect prediction.

You'll note that i said "some" confidentiality :)

I'm aware of traffic analysis issues like [0].  These attacks require
some (not enormous) investment from the adversary in gathering data from
various sites and producing the statistical models that give plausible
content prediction.  I agree that we should not ignore or underestimate
them.

In the meantime, cleartext HTTP allows a simple keyword search of the
raw data stream for anyone who wants to censor, surveil, or "clean up"
traffic based on what you're reading.

There are possible mitigation techniques against traffic analysis (like
including padding in the underlying data or at the TLS layer, ensuring
that subresources are all same-origin, etc), and we will need further
development and research in this area.  But these mitigation techniques
are useless unless we move to HTTPS in the first place.

Sorry this got a bit off-topic.  more on-point: HTTP is still non-secure.

Regards,

	--dkg

[0] http://arxiv.org/abs/1403.0297


Received on Thursday, 18 December 2014 16:10:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC