W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: [blink-dev] Re: Proposal: Marking HTTP As Non-Secure

From: Chris Palmer <palmer@google.com>
Date: Thu, 18 Dec 2014 15:49:47 -0800
Message-ID: <CAOuvq20bZQZ2-c0Kb597gbcX3iNWLgQHatTwxaSXsh+XY0oWkg@mail.gmail.com>
To: michael.martinez@xenite.org
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, mozilla-dev-security@lists.mozilla.org, security-dev <security-dev@chromium.org>, blink-dev <blink-dev@chromium.org>
On Thu, Dec 18, 2014 at 3:39 PM, Michael Martinez
<michael.martinez@xenite.org> wrote:

> You're assuming people don't connect to open wifi hotspots where rogue
> routers can be set up by anyone.  If thieves are willing to build fake ATM
> machines and distribute them to shopping centers across a large geographical
> area then they will certainly go to the same lengths to distribute rogue
> routers.

Indeed, there are many rogue wifi hotspots, and indeed many rogue
routers at ISPs (it's definitely not just "last mile" routing that we
need to be concerned about).

The part you're missing is that the man-in-the-middle attacker needs
to present a certificate for the server, say mail.google.com, that was
issued by a certification authority *that the client trusts*. Not just
any certificate for mail.google.com will do.

Now, this is not an insurmountable obstacle to the attacker. But it is
non-trivial: the CAs that clients trust are trying hard not to
mis-issue certificates. And, we are working to make it even more
difficult for attackers, such as with our Certificate Transparency and
public key pinning efforts.

Before arguing against HTTPS, you should make sure you know how it works.

I would encourage you try to mount the attack you describe (only
against your own computers, of course!). I think you will find that
you won't get very far without a valid certificate issued by a
well-known CA.
Received on Thursday, 18 December 2014 23:50:14 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC