W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: [blink-dev] Re: Proposal: Marking HTTP As Non-Secure

From: Chris Palmer <palmer@google.com>
Date: Thu, 18 Dec 2014 11:33:35 -0800
Message-ID: <CAOuvq20p4jUkD6SBxhck2BRAp-hJhkv_2ZEkGmA_xWNm5j1jcA@mail.gmail.com>
To: Jason Striegel <jstriegel@google.com>
Cc: security-dev <security-dev@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
On Thu, Dec 18, 2014 at 9:52 AM, jstriegel via blink-dev
<blink-dev@chromium.org> wrote:

> I'd like to propose consideration of a fourth category:
> Personal Devices (home routers, printers, IoT, raspberry pis in classrooms, refrigerators):
>  - cannot, by nature, participate in DNS and CA systems
>  - likely on private network block
>  - user is the owner of the service, hence can trust self rather than CA
>
> Suggested use:
>  - IoT devices generate unique, self-signed cert
>  - Friendlier interstitial (Ie. "Is this a device you recognize?") for self-signed connections on *.local, 192.168.*, 10.*, or on same local network as browser.
>  - user approves use on first https connection
>  - browser remembers (device is promoted to "secure" status)
>
> A lot of IoT use cases could benefit from direct connection (not requiring a cloud service as secure data proxy), but this currently gives the scariest of Chrome warnings. This is probably why the average home router or firewall is administered over http.

Yes, I agree this is a problem. I am hoping to publish a proposal for
how UAs can authenticate private devices soon (in January probably).

A key goal is not having to ask the user "Is this a device you
recognize?" — I think we can get the UX flow even simpler, and still
be strong. Watch this space...
Received on Thursday, 18 December 2014 19:34:01 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC