W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Marking HTTP As Non-Secure

From: Michael Martinez <michael.martinez@xenite.org>
Date: Thu, 18 Dec 2014 11:25:59 -0500
Message-ID: <54930017.5090106@xenite.org>
To: public-webappsec@w3.org
On 12/18/2014 10:29 AM, Daniel Kahn Gillmor wrote:
>> It's like hidding for read a new paper. Yes, if it's a problem to do it, it's better that we make it private stuff. But IF we think it's not a problem and shouldn't be, then we have to make sur it's stay "safe and public".
> All the information in the newspaper can be public, but you might still
> not want everyone to know which articles in the newspaper you are
> interested in reading.
>
> Among other things, HTTPS provides some confidentiality to *the act of
> reading*, but does not restrict web sites from publishing public data.

This proposal would radically transform the average Web user's 
experience, degrading the quality of that experience in exchange for a 
false sense of security.  There is absolutely no need for a browser to 
warn someone that a Website is non-secure if the Website doesn't require 
the user to provide any private information.  If you are just there to 
read an article, look at pictures, or do anything else that can happen 
in a non-secure environment then the warning will deprive innocent 
Websites of deserved-traffic.

This proposal is reckless and irresponsible and what is most troubling 
is that too many people fail to question Google's publicly acknowledged 
financial motives (they say they are losing contracts overseas because 
governments no longer trust them in the wake of the Edward Snowden 
scandal) for promoting a technology that fails to live up to its promise.

Google itself has fallen prey to Man-in-the-Middle attacks despite its 
use of HTTPS.  How do its users benefit in that situation?

Degrading the Web user's experience for the flimsiest of reasons is not 
the kind of campaign that browser developers should be supporting.

The majority of Web users have no knowledge of how the Web works. They 
just trust the developers to make it easier to use.  Adopting this 
proposal would be a betrayal of that good faith and naive judgment.

Worse, it would be an act of inconceivable short-sightedness.  HTTPS 
cannot defend itself against numerous pathways of compromise that have 
been outed, not to mention all the points of failure that many 
developers repeatedly bring up (such as improper installation of 
certificates, the requirement for a dedicated IP address for 
certificates, the expiration of certificates, compromises of certificate 
authorities, etc.).

The real problem here is that Google is fighting the NSA's attempts to 
monitor and track terrorist activities on the Internet but it takes 
inadequate action against those terrorists that use its own services 
(Gmail, YouTube, Blogger, even Google Web search itself) to publish and 
distribute their propaganda and sometimes their organizational data.  In 
fact, Google has gone out of its way to make the Web a more secure place 
for the terrorist organizations.

If you want to defend people's privacy then working with the governments 
that are fighting Al Qaeda, Islamic State, and other similar groups to 
identify and dismantle their online activities would be far more 
productive than giving those groups additional protection while 
demanding that the governments do something.

Technology is at the heart of this crisis and the crisis is not that 
governments have the ability to intercept and scan user communications 
(Google does that all the time through its advertising services); the 
crisis is that a movement of human radicalization is spreading across 
services like Facebook, YouTube, and Twitter at an alarming pace.  News 
media reports indicate that thousands of westerners have now joined or 
attempted to join these terrorist organizations after being converted by 
online propaganda.

And Google's response is to deprive innocent Websites of traffic by 
positioning misleading and unnecessary warnings between those sites and 
their potential visitors so that it can appear to the general public as 
though it is protecting citizen privacy from evil government.

You guys need to stop and think about what you are doing.  If you force 
the Web to use HTTPS you will forever deprive free speech of one of its 
most powerful tools.

-- 
Michael Martinez
http://www.michael-martinez.com/

YOU CAN HELP OUR WOUNDED WARRIORS
http://www.woundedwarriorproject.org/
Received on Thursday, 18 December 2014 16:28:38 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC