W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 9 Dec 2014 15:09:24 +1100
Cc: "www-tag@w3.org List" <www-tag@w3.org>
Message-Id: <4C369424-46A3-4759-B700-32B18181E38D@mnot.net>
To: Noah Mendelsohn <nrm@arcanedomain.com>

> On 9 Dec 2014, at 11:57 am, Noah Mendelsohn <nrm@arcanedomain.com> wrote:
> II. Privacy
> I also have the vague impression that there is a loss of privacy that indirectly results from the reduced practicality of proxies, but I'm not sure that intuition is correct. If there are privacy issues with the HTTPs transition, that would be worth exploring too.

Is the thought here that it's harder to view what's happening on the wire between your browser and the server, and thus harder to verify that a site isn't abusing your private data, etc.?

If so, I've had similar misgivings -- backed up by conversations with Balachander Krishnamurthy at AT&T, who said that it would have been much harder for them to find how pervasive cookie tracking was had everything been encrypted <http://www.sigcomm.org/ccr/papers/2010/January/1672308.1672328>.

When I talk to browser folks about this, they say that you can still install a CA to observe traffic, or look at the console / dev tools, etc. I think that's a reasonable answer, but one that needs better tools available to foster this kind of research.

What I found more convincing was the fact that the genie is already out of the bottle; if a site wants to hide something like this from casual view on the network, HTTPS is already available. 


Mark Nottingham   https://www.mnot.net/
Received on Tuesday, 9 December 2014 04:09:50 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:33:27 UTC