W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

RE: Marking HTTP As Non-Secure

From: Patrick Kolodziejczyk <patrick.kolodziejczyk@viseo.com>
Date: Fri, 19 Dec 2014 09:29:22 +0000
To: "Eduardo' Vela\" <Nava>" <evn@google.com>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <1418981361437.96330@viseo.com>
I don't say HTTP is secure. I say we have to deal with this "no security". At least don't mark HTTP as "not secure", but more like as "public".


We should not make wear everyone and every day Bulletproof Vest, because they can be kill by guns. (I am French not even consider possible here...). It's a policy based on fear. It's not how you deal with that kind of threat. It's bring more problem on the long term. Like considering that the victim didn't protect himself, making the assessor guilty, but no charged.


And we have a law that is close to that in France, where every people having access to Internet is legally responsible of the security of this access. (Charging the victim...)

source : (Article 8) http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000021208046&categorieLien=id

And your approach valid theirs.


And the kind of attack that you suppose are man in the middle one. It's suppose net neutrality is or will be broken. And HTTPS will not change that. So I truly believe you focus on technique when we shouldn't focus on that.


Note : As Eduardo say HTTPS can't even guaranty that nobody know witch article you did read.

@Daniel : I am not speaking about third-part, but the source directly. Your article are net neutrality related, some Internet Provider did that too on Google research and they stopped cause it's was discover not because of HTTPS.


Patrick Kolodziejczyk
Ingénieur Conception et Développement
BU technologies - Groupe Viseo
190, rue Garibaldi - 69003 LYON
Tél.  +33 (0)4 72 33 78 30
http://www.viseo.com<http://objetdirect.com/>
________________________________
De : Eduardo' Vela" <Nava> <evn@google.com>
Envoyé : jeudi 18 décembre 2014 16:37
À : Daniel Kahn Gillmor
Cc : Patrick Kolodziejczyk; public-webappsec@w3.org
Objet : Re: Marking HTTP As Non-Secure



On Thu, Dec 18, 2014 at 4:29 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net<mailto:dkg@fifthhorseman.net>> wrote:
Hi Patrick--

Thanks for reading the proposal and giving feedback.

On 12/17/2014 05:42 AM, Patrick Kolodziejczyk wrote:

>  I don't like the idea of saying HTTP is not secure, by default.

I don't think any of the arguments you've presented are good reasons to
continue displaying http without a non-secure indicator.

> It's like hidding for read a new paper. Yes, if it's a problem to do it, it's better that we make it private stuff. But IF we think it's not a problem and shouldn't be, then we have to make sur it's stay "safe and public".

All the information in the newspaper can be public, but you might still
not want everyone to know which articles in the newspaper you are
interested in reading.

Among other things, HTTPS provides some confidentiality to *the act of
reading*, but does not restrict web sites from publishing public data.

HTTPS most likely doesn't hide which news articles you are reading. Traffic analysis against a site like a public news site is very likely to provide a near-perfect prediction.

> Plus, the fact that source of information start to adjust there discours in function of there reader.

This is possible under cleartext HTTP too, as well.  Not only that, but
other parties can also adjust the information as a function of the reader:

 http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/
 http://www.wired.com/2014/10/verizons-perma-cookie/

(these links were in the article you linked)

> Making it private, make sur that no one will ever verify that.

No one is verifying that they received the same data as others have
received right now with cleartext HTTP or with HTTPS.  But even if they
were, marking HTTP as non-secure wouldn't prevent anyone from doing so.

Regards,

        --dkg
Received on Friday, 19 December 2014 09:31:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC