W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Marking HTTP As Non-Secure

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Fri, 19 Dec 2014 01:49:17 -0800
Message-ID: <CALx_OUD+Pp30BjdH=iVT6Kcdc-MqN+n3PpsDBkd=PKdTdKRhbw@mail.gmail.com>
To: michael.martinez@xenite.org
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> HTTPS is completely useless.

I hate to be blunt, but I'd like to reiterate what others have said:
you seem to be operating under some fairly unorthodox assumptions
about the design, implementation, and practical properties of HTTPS as
deployed between mainstream browsers and web services. I would suggest
some hands-on experimentation to verify said assumptions before
getting overly invested in the argument.

The protocol itself has fairly complex and frequently overstated
privacy properties (in part for the reasons noted by Eduardo). It also
comes with a lot of historical baggage. And then, of course, there are
occasional issues with CAs (addressed to some extent by pinning,
certificate transparency, etc). Last but not least, there are
countless ways to get the implementations wrong due to wonky and
complicated APIs.

Having said all that, I'm fairly confident that the situation is far
from the picture painted in some of your replies.

/mz
Received on Friday, 19 December 2014 09:50:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC