W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Marc Fawzi <marc.fawzi@gmail.com>
Date: Tue, 9 Dec 2014 19:36:17 -0800
Message-Id: <9FC7C7F8-B4E0-4D82-AB29-1103C357A524@gmail.com>
Cc: Mark Nottingham <mnot@mnot.net>, Noah Mendelsohn <nrm@arcanedomain.com>, "www-tag@w3.org List" <www-tag@w3.org>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
I think this list is public for a reason, right? So concerned citizens of the web can voice their opinion? Or maybe another reason?

Anyway, as far as opinions go I think that APIs that only work on HTTPS but could in reality work on HTTP means that if some app wanted to use such API then it must purchase an SSL certificate (I think they still cost a lot of money) and incur extra cost in the cloud or data center. 



Sent from my iPhone

> On Dec 9, 2014, at 1:23 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:
> 
> * Mark Nottingham wrote:
>> When I talk to browser folks about this, they say that you can still 
>> install a CA to observe traffic, or look at the console / dev tools, 
>> etc. I think that's a reasonable answer, but one that needs better tools 
>> available to foster this kind of research.
> 
> It is actually quite common that you cannot install certificates and do
> not have debugging tools available, or would not be able to rely on them
> because their use is detectable. Considering that heteronomous computing
> is being made a fundamental part of the Web, it seems very unlikely that
> the TAG would agree that users have a right to know what their computers
> do and what data they send and receive.
> -- 
> Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
> D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de
> Available for hire in Berlin (early 2015)  · http://www.websitedev.de/ 
> 
Received on Wednesday, 10 December 2014 03:36:52 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:33:27 UTC