W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Ryan Sleevi <rsleevi@chromium.org>
Date: Fri, 19 Dec 2014 20:10:33 -0800
Message-ID: <CACvaWvYFRKHNTDDaTZ6uW9Rxu7tfwhWWN8gCwm_KDG7=piCmQQ@mail.gmail.com>
To: Michael Martinez <michael.martinez@xenite.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>, mozilla-dev-security@lists.mozilla.org
On Fri, Dec 19, 2014 at 7:32 PM, Michael Martinez <
michael.martinez@xenite.org> wrote:

> On 12/19/2014 8:33 PM, Donald Stufft wrote:
>
>> So how is marking some Websites as "non-secure" (they all are) improving
>> the situation?  Shaming Website owners for not using encrypted connections,
>> especially when your only concern is that you don't want some random
>> stranger to see that you are reading a blog, is not acceptable.
>> I think you’re fundamentally confused, I do not believe that anyone who
>> is making this proposal is trying to force site operators to use HTTPS.
>>
>
> Then I suggest you go back and reread the other posts from people who have
> said exactly that.
>
> It is precisely this kind of inattention to what is actually being said
> that keeps resetting this conversation.
>
> I am very ill right now and I don't have the energy for further
> discussion.  I hope that the people who need to consider these things see
> past the needless nit-pickery and think about the big picture.  You won't
> be able to undo the damage this proposal will do, if it is carried out,
> even if that turns out to be less than some of us fear.
>

It is not needlessly nitpicky. You've made several claims that range from
demonstrably inaccurate to factually incorrect. When pressed for details,
either you shift the topic to something unrelated or you claim it's not
your responsibility to provide those details. When presented with evidence
counter to your claim, you ignore it.

You'd be surprised by the number of people making a good faith effort to
give you both the benefit of the doubt and to patiently explain to you why
you're either misunderstanding the issues at play or downright wrong.

You've confused ARP poisoning with certificate compromise. You've proposed
TLS in everything but name, yet argued against TLS. You've conflated "want
the world to move to HTTPS" with "force the world to move to HTTPS", when
multiple people - the original poster, people from the same organization,
and people from different browsers - all pointing out that the two are not
the same.

Quothe the original proposal (
https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/qTm0E376lswJ
)
"We, the Chrome Security Team, propose that user agents (UAs) gradually
change their UX to display non-secure origins as affirmatively non-secure."

Echo'd again -
https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/cKBImJOUrEcJ

"HTTPS is the bare minimum requirement for secure web application
*transport*. Is secure transport by itself sufficient to achieve total
*application-semantic* security? No. But a browser couldn't determine that
level of security anyway. Our goal is for the browser to tell as much of
the truth as it can programatically determine at run-time."

And again -
https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/vgfv-e6A21MJ
"(a) Users are currently habituated to treat non-secure transport as
OK. The status quo is terrible.

(b) What Peter Kasting said: we propose a passive indicator, not a
pop-up or interstitial. "
"Again, it's a passive indicator;"

More importantly, you've continued to make claims without supporting
evidence. This has been explained by
https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/zWkvtQ7HpB4J
and
https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/FlyAPvETiwMJ
and
https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/n3DGBTbdyiMJ
and
https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/sHWde0wF7akJ

While all feedback is appreciated to some level, you seem to be frustrated
by the lack of attention being posed to your points. You've gone as far as
to insult the intelligence of those replying in
https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/sfs-2A1P7rUJ
. However, I'd like to again point out (as several have already patiently
done so) that you've effectively ignored every single question posed to
you, instead turned out to be rather dismissive and rude.

I think we're very aware of the big picture here, and have tried patiently
to explain it and to allay your misplaced fears that seem to be based on
honest and genuine misunderstanding. However, in the absence of reasonable
and rationale discourse, and the absence of new information, perhaps it's
best to have had your say for now. In the big picture, continuing to use
unauthenticated, non-confidential transports that anyone can modify while
presenting them as acceptable and secure is downright dishonest - something
the original post explained with a number of examples -
https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/qTm0E376lswJ
.
Received on Saturday, 20 December 2014 04:11:00 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC