W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

RE: Draft finding - "Transitioning the Web to HTTPS"

From: Domenic Denicola <d@domenic.me>
Date: Wed, 10 Dec 2014 17:18:04 +0000
To: Marc Fawzi <marc.fawzi@gmail.com>
CC: "Eric J. Bowman" <eric@bisonsystems.net>, Chris Palmer <palmer@google.com>, Melvin Carvalho <melvincarvalho@gmail.com>, "Mark Nottingham" <mnot@mnot.net>, "www-tag@w3.org List" <www-tag@w3.org>
Message-ID: <CY1PR0501MB1369E0AFA7C8EDBE73A3F58EDF620@CY1PR0501MB1369.namprd05.prod.outlook.com>
From: Marc Fawzi [mailto:marc.fawzi@gmail.com] 

> - Why does Web Crypto in Chrome depend on https? Transmitting the user's public key over http is how public keys are supposed to be used, in the open. I don't think anyone in their right mind would want to transmit the user's private key (if that's even technically possible... have yet to read about the extractable property and how that works)

It's not about transmitting the key. It's about transmitting the code that does encryption or decryption. If I can modify that code, I can intercept any supposedly "encrypted" data, or any data that was supposedly meant to be decrypted only on the user's local computer and not sent elsewhere.

I'm sure others can give a more in-depth answer.

> - what happens when my employer becomes a CA and has a Web gateway for https traffic? They can see the contents of my gmail, facebook, bank account and everything else including communication with a lawyer etc that's normally protected. By the way, I do know several employers who are able to monitor https traffic going over their networks (including vpn for remote workers)

Yes, if someone else has root on your machine, you're in trouble no matter what.

> So basically, https doesn't help protect a user's privacy in such case, but Web Crypto could,

Nope, web crypto needs a secure transport to make any sense at all. It's a bootstrapping problem. If you're on an insecure channel (whether HTTP or employer-MITMed HTTPS), web crypto provides no guarantees at all.

Received on Wednesday, 10 December 2014 17:18:37 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:33:27 UTC