W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: <jstriegel@google.com>
Date: Thu, 18 Dec 2014 09:52:56 -0800 (PST)
To: security-dev@chromium.org
Cc: public-webappsec@w3.org, blink-dev@chromium.org, dev-security@lists.mozilla.org
Message-Id: <59404df0-9611-4bd5-8376-a93533a3ee4e@chromium.org>

> Roughly speaking, there are three basic transport layer security states for web origins:
> 
> Secure (valid HTTPS, other origins like (*, localhost, *));
> Dubious (valid HTTPS but with mixed passive resources, valid HTTPS with minor TLS errors); and
> Non-secure (broken HTTPS, HTTP).

I'd like to propose consideration of a fourth category:
Personal Devices (home routers, printers, IoT, raspberry pis in classrooms, refrigerators):
 - cannot, by nature, participate in DNS and CA systems
 - likely on private network block
 - user is the owner of the service, hence can trust self rather than CA

Suggested use:
 - IoT devices generate unique, self-signed cert
 - Friendlier interstitial (Ie. "Is this a device you recognize?") for self-signed connections on *.local, 192.168.*, 10.*, or on same local network as browser.
 - user approves use on first https connection
 - browser remembers (device is promoted to "secure" status)

A lot of IoT use cases could benefit from direct connection (not requiring a cloud service as secure data proxy), but this currently gives the scariest of Chrome warnings. This is probably why the average home router or firewall is administered over http.
Received on Friday, 19 December 2014 13:52:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC