W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Matthew Dempsky <mdempsky@chromium.org>
Date: Thu, 18 Dec 2014 16:02:22 -0800
Message-ID: <CAF52+S7DbyLBVZ7dffC7AedbsPXDGm1iRYbiKWT=PbgCb-QEzA@mail.gmail.com>
To: michael.martinez@xenite.org
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, public-webappsec@w3.org, security-dev@chromium.org, mozilla-dev-security@lists.mozilla.org, blink-dev <blink-dev@chromium.org>
On Thu, Dec 18, 2014 at 3:46 PM, Michael Martinez <
michael.martinez@xenite.org> wrote:
>
> No, what I am saying is that you can bypass the certificate for a MITM
> attack via a new technique that was published earlier this year.
>

Citation needed.

Earlier this year, you made these two G+ posts suggesting HTTPS is broken:

https://plus.google.com/102255413942524311706/posts/bBMdzq8Z3vF

Google, the great champion of HTTPS/SSL, cannot prevent yet more
man-in-the-middle attacks against its users:
http://www.theregister.co.uk/2014/11/21/hackers_snaffling_smartphone_secrets_with_redirection_attack/


https://plus.google.com/102255413942524311706/posts/LjKu1UfraXR

If your company is serious about using HTTPS it has to do it right (not
that it will matter, but don't throw your money away on bad
implementation).
http://www.darkreading.com/endpoint/the-week-when-attackers-started-winning-the-war-on-trust-/a/d-id/1317657



The first link is about an ARP-poisoning man-in-the-middle attack that has
nothing to do with HTTPS/SSL, the article doesn't mention "HTTPS" or "SSL",
and in fact the attack would have been *prevented* by HTTPS/SSL.

The second link is about how mismanaging your web server can compromise
HTTPS's added security benefits (e.g., using long-unsupported MD5
certificates or revealing your SSL secret key).  That's true, but
misleading: the risks are no more severe than if you mismanage an HTTP-only
server.


You seem to be arguing that people shouldn't be encouraged to lock their
doors when leaving because sometimes they forget to lock their windows.
But actually we need to encourage people to do *both*.
Received on Friday, 19 December 2014 00:04:36 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC