- From: Yngve Nysaeter Pettersen <yngve@opera.com>
- Date: Wed, 28 Jan 2009 18:50:27 +0100
- To: "Thomas Roessler" <tlr@w3.org>, "W3C WSC Internal" <public-wsc-wg@w3.org>
Looks good to me. On Wed, 28 Jan 2009 18:30:42 +0100, Thomas Roessler <tlr@w3.org> wrote: > > Here we go... Comments by EOB next Tuesday? > >> Hi, >> >> thanks for your request for advice with respect to the proposed best >> practices on the use of HTTPS. The Web Security Context Working Group >> has considered the proposed best practice on a recent conference call. >> >> The short version of the advice is "don't do this, it's a bad practice." >> >> The longer version: We believe that you mean to recommend token-based >> authentication schemes (where only an initial login transaction is done >> through HTTPS, but most interactions are through plain HTTP, with an >> appropriate token transmitted as a cookie or in some HTTP header) >> similar to the ones currently in use at large web properties. While >> there may be situations in which the use of such schemes is justified >> as the result of a complex trade-off, we oppose a best practice >> recommending this approach. There are several reasons for this advice: >> >> 1. Use of HTTP in such schemes often leaves the asset that should >> really be protected out in the open: E.g., a webmail service >> implemented according to this advice might permit an attacker full >> access to the victim's inbox. >> >> 2. When using TLS, there is no reason to repeat the initial public key >> handshake for every single HTTP request: The resource-intensive piece >> of the protocol occurs when the TLS handshake is first executed (e.g., >> when accessing the login page); future HTTP requests only require cheap >> symmetric key operations. >> >> 3. The practice described is particularly bad in the case of >> applications targeted at mobile use: Mobile devices are increasingly >> used to access the Web through whatever Wireless LAN might be >> available. There is no reason to trust these networks; indeed, there >> is hardly a situation with a higher exposure to network attacks than an >> untrusted Wireless LAN environment. Therefore, the Best Practices >> document should call out the overall risk profile, and *encourage* use >> of TLS. >> >> 4. We note that your specification seems to aim at relatively complex >> Web Applications, which implies a high likelihood that powerful mobile >> devices will be used with these applications. That implies both an >> even higher likelihood for the use of W-LAN, and a comparably low >> likelihood that resource constraints will indeed be seriously affected >> by the use of TLS. >> >> On behalf of the Web Security Context WG, >> -- >> Thomas Roessler, W3C <tlr@w3.org> > > > > > > > -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ********************************************************************
Received on Wednesday, 28 January 2009 17:51:06 UTC