- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Fri, 19 Dec 2014 01:49:17 -0800
- To: michael.martinez@xenite.org
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> HTTPS is completely useless. I hate to be blunt, but I'd like to reiterate what others have said: you seem to be operating under some fairly unorthodox assumptions about the design, implementation, and practical properties of HTTPS as deployed between mainstream browsers and web services. I would suggest some hands-on experimentation to verify said assumptions before getting overly invested in the argument. The protocol itself has fairly complex and frequently overstated privacy properties (in part for the reasons noted by Eduardo). It also comes with a lot of historical baggage. And then, of course, there are occasional issues with CAs (addressed to some extent by pinning, certificate transparency, etc). Last but not least, there are countless ways to get the implementations wrong due to wonky and complicated APIs. Having said all that, I'm fairly confident that the situation is far from the picture painted in some of your replies. /mz
Received on Friday, 19 December 2014 09:50:04 UTC