- From: Michael Martinez <michael.martinez@xenite.org>
- Date: Thu, 18 Dec 2014 11:25:59 -0500
- To: public-webappsec@w3.org
On 12/18/2014 10:29 AM, Daniel Kahn Gillmor wrote: >> It's like hidding for read a new paper. Yes, if it's a problem to do it, it's better that we make it private stuff. But IF we think it's not a problem and shouldn't be, then we have to make sur it's stay "safe and public". > All the information in the newspaper can be public, but you might still > not want everyone to know which articles in the newspaper you are > interested in reading. > > Among other things, HTTPS provides some confidentiality to *the act of > reading*, but does not restrict web sites from publishing public data. This proposal would radically transform the average Web user's experience, degrading the quality of that experience in exchange for a false sense of security. There is absolutely no need for a browser to warn someone that a Website is non-secure if the Website doesn't require the user to provide any private information. If you are just there to read an article, look at pictures, or do anything else that can happen in a non-secure environment then the warning will deprive innocent Websites of deserved-traffic. This proposal is reckless and irresponsible and what is most troubling is that too many people fail to question Google's publicly acknowledged financial motives (they say they are losing contracts overseas because governments no longer trust them in the wake of the Edward Snowden scandal) for promoting a technology that fails to live up to its promise. Google itself has fallen prey to Man-in-the-Middle attacks despite its use of HTTPS. How do its users benefit in that situation? Degrading the Web user's experience for the flimsiest of reasons is not the kind of campaign that browser developers should be supporting. The majority of Web users have no knowledge of how the Web works. They just trust the developers to make it easier to use. Adopting this proposal would be a betrayal of that good faith and naive judgment. Worse, it would be an act of inconceivable short-sightedness. HTTPS cannot defend itself against numerous pathways of compromise that have been outed, not to mention all the points of failure that many developers repeatedly bring up (such as improper installation of certificates, the requirement for a dedicated IP address for certificates, the expiration of certificates, compromises of certificate authorities, etc.). The real problem here is that Google is fighting the NSA's attempts to monitor and track terrorist activities on the Internet but it takes inadequate action against those terrorists that use its own services (Gmail, YouTube, Blogger, even Google Web search itself) to publish and distribute their propaganda and sometimes their organizational data. In fact, Google has gone out of its way to make the Web a more secure place for the terrorist organizations. If you want to defend people's privacy then working with the governments that are fighting Al Qaeda, Islamic State, and other similar groups to identify and dismantle their online activities would be far more productive than giving those groups additional protection while demanding that the governments do something. Technology is at the heart of this crisis and the crisis is not that governments have the ability to intercept and scan user communications (Google does that all the time through its advertising services); the crisis is that a movement of human radicalization is spreading across services like Facebook, YouTube, and Twitter at an alarming pace. News media reports indicate that thousands of westerners have now joined or attempted to join these terrorist organizations after being converted by online propaganda. And Google's response is to deprive innocent Websites of traffic by positioning misleading and unnecessary warnings between those sites and their potential visitors so that it can appear to the general public as though it is protecting citizen privacy from evil government. You guys need to stop and think about what you are doing. If you force the Web to use HTTPS you will forever deprive free speech of one of its most powerful tools. -- Michael Martinez http://www.michael-martinez.com/ YOU CAN HELP OUR WOUNDED WARRIORS http://www.woundedwarriorproject.org/
Received on Thursday, 18 December 2014 16:28:38 UTC