- From: Eduardo' Vela\ <evn@google.com>
- Date: Fri, 19 Dec 2014 11:56:21 +0100
- To: Michal Zalewski <lcamtuf@coredump.cx>
- Cc: michael.martinez@xenite.org, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAFswPa-KKxU59C5Wi_ikrzYxTtfozKCaTekqK6m77UHNXFJy1w@mail.gmail.com>
In case some of my comments were misinterpreted. I am definitely not
against telling people websites are insecure, specially *if that means that
we will stop telling people that HTTPS sites are secure*.
Marketing further the fact a website using HTTPS is secure (stauts quo)
would definitely be wrong, but unless I'm missing something, the proposal
is to say HTTP *is* insecure, which is probably true (I mean, *many HTTPS
websites are probably even more insecure*, but at least Chrome knows for
sure the HTTP sites definitely lack several security features), and most
importantly, the end game is to stop the practice of saying HTTPS sites are
secure.
I think that's reasonable, I would be *strongly opposed if we technically
forced the whole internet to use HTTPS* (and I still think *it's pretty
stupid to limit some browser security features to HTTPS websites*), and the
current status quo of telling people "this site is secure" for HTTPS is
more confusing than helpful.
Also, it is probably true *most news sites don't need the confidentiality
protections provided by HTTPS*, and I also think *CAs by themselves are not
the right solution to the authentication problem* (although I do think
Certificate Transparency can solve that somewhat). But either way, those
sites are not being blocked by Chrome, they are simply being labeled not
secure. And maybe the user won't care.
Think of it this way, when the connection is over HTTPS, there's at least a
chance that the connection is encrypted/authenticated. When the connection
is not, there's absolutely no chance it is. So it's reasonable to say "X
and Y" are not secure. The current situation is that we tell people "A, and
B" are secure, when they most likely are not. The effect of this change is
positive overall.
I think more productive arguments to criticize this change, if people
really want to, could be:
1. Side effects.
- *If many websites will have this warning, the user will just ignore
it*. Even 15% of sites with a warning will make most users totally
ignore the warning after a while.
- Sites without HTTPS will just have workarounds. We've already seen
websites with mixed content warnings *the owners simply put a bigger
greener stronger shiner padlock, to make users feel safe*. And it
works. Users don't know how to trust the URL address bar.
- Performance? Latency? Caching? Most ISPs do intermediate caching,
they won't be able to anymore, possibly resulting in higher
network costs,
which would then result in either degraded service to users, or
higher fees.
- The usual stupid arguments about "national security", "open data",
"aggregated statistics for the benefit of all", "subsidized costs in
exchange of getting script tags injected on the sites you go to" etc..
2. Consistency.
- The usage of old or bad SSL/TLS configurations are weak enough to
also be marked insecure. Will that happen too? Where's the line?
What about
non-auditable (eg, not in CT logs) certs?
3. User perception.
- If Chrome tells users http://nytimes.com is insecure, the user will
just switch to Firefox, because firefox doesn't say that.
- If a user visits http://hackernews.com with a warning "this site is
insecure", will they think they will get malware? Is that the
right message
to send? The lack of "this site is insecure" doesn't mean the user won't
get malware anyway. Conflating concepts is going to be a problem.
But at the end, the real headline, or at least, what actually is happening
that is good for the internet, is that we *finally* will stop telling
people HTTPS websites are secure. That's really cool!
Received on Friday, 19 December 2014 10:57:10 UTC