W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: [blink-dev] Re: Proposal: Marking HTTP As Non-Secure

From: Michael Martinez <michael.martinez@xenite.org>
Date: Thu, 18 Dec 2014 18:55:50 -0500
Message-ID: <54936986.7020209@xenite.org>
To: public-webappsec@w3.org, mozilla-dev-security@lists.mozilla.org, security-dev@chromium.org, blink-dev@chromium.org
On 12/18/2014 6:49 PM, Chris Palmer wrote:
> On Thu, Dec 18, 2014 at 3:39 PM, Michael Martinez
> <michael.martinez@xenite.org> wrote:
>
>> You're assuming people don't connect to open wifi hotspots where rogue
>> routers can be set up by anyone.  If thieves are willing to build fake ATM
>> machines and distribute them to shopping centers across a large geographical
>> area then they will certainly go to the same lengths to distribute rogue
>> routers.
> Indeed, there are many rogue wifi hotspots, and indeed many rogue
> routers at ISPs (it's definitely not just "last mile" routing that we
> need to be concerned about).
>
> The part you're missing is that the man-in-the-middle attacker needs
> to present a certificate for the server, say mail.google.com, that was
> issued by a certification authority *that the client trusts*. Not just
> any certificate for mail.google.com will do.
No, see my other reply for why that is no longer true.  The point here 
is that coercing the Web into changing over to HTTPS is equivalent to 
forcing everyone to replace their cell phones with land lines.  You're 
trying to fix a technology that has been rendered obsolete by exploits 
that were never anticipated in the original design.

> Now, this is not an insurmountable obstacle to the attacker. But it is
> non-trivial: the CAs that clients trust are trying hard not to
> mis-issue certificates. And, we are working to make it even more
> difficult for attackers, such as with our Certificate Transparency and
> public key pinning efforts.
>
> Before arguing against HTTPS, you should make sure you know how it works.
Before arguing FOR HTTPS you need to make sure you know about all the 
latest exploits that render it useless.

I encourage you to spend more time doing research in this area and less 
time repeating lectures that are outdated.  HTTPS really doesn't 
accomplish anything in the long run anyway.  All the user data you're 
encrypting eventually becomes vulnerable to hacking on the server side.  
Sure, that data could be encrypted over there (and should be) but it's not.

So you're standing guard at the front door and the thieves are breaking 
into the house through the windows.  Meanwhile you're creating a bad 
user experience with all these warnings and road-blocks to perfectly 
legitimate Websites, burdening the system with extra processing cycles, 
and not preventing massive MITM attacks from making the news every 1-2 
months.

Your time and effort would be better spent improving the browser 
experience.


-- 
Michael Martinez
http://www.michael-martinez.com/

YOU CAN HELP OUR WOUNDED WARRIORS
http://www.woundedwarriorproject.org/
Received on Thursday, 18 December 2014 23:56:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC