Re: Draft finding - "Transitioning the Web to HTTPS" from Melvin Carvalho on 2014-12-10 (www-tag@w3.org from December 2014)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Wed, 10 Dec 2014 18:28:36 +0100
To: Domenic Denicola <d@domenic.me>
Cc: Marc Fawzi <marc.fawzi@gmail.com>, "Eric J. Bowman" <eric@bisonsystems.net>, Chris Palmer <palmer@google.com>, Mark Nottingham <mnot@mnot.net>, "www-tag@w3.org List" <www-tag@w3.org>
Message-ID: <CAKaEYh+MVkxUa9=bK2++u2=sJWzk2tP3gzJscQN1JJG4cNF3UQ@mail.gmail.com>

On 10 December 2014 at 18:18, Domenic Denicola <d@domenic.me> wrote:

> From: Marc Fawzi [mailto:marc.fawzi@gmail.com]
>
> > - Why does Web Crypto in Chrome depend on https? Transmitting the user's
> public key over http is how public keys are supposed to be used, in the
> open. I don't think anyone in their right mind would want to transmit the
> user's private key (if that's even technically possible... have yet to read
> about the extractable property and how that works)
>
> It's not about transmitting the key. It's about transmitting the code that
> does encryption or decryption. If I can modify that code, I can intercept
> any supposedly "encrypted" data, or any data that was supposedly meant to
> be decrypted only on the user's local computer and not sent elsewhere.
>
> I'm sure others can give a more in-depth answer.
>
> > - what happens when my employer becomes a CA and has a Web gateway for
> https traffic? They can see the contents of my gmail, facebook, bank
> account and everything else including communication with a lawyer etc
> that's normally protected. By the way, I do know several employers who are
> able to monitor https traffic going over their networks (including vpn for
> remote workers)
>
> Yes, if someone else has root on your machine, you're in trouble no matter
> what.
>
> > So basically, https doesn't help protect a user's privacy in such case,
> but Web Crypto could,
>
> Nope, web crypto needs a secure transport to make any sense at all. It's a
> bootstrapping problem. If you're on an insecure channel (whether HTTP or
> employer-MITMed HTTPS), web crypto provides no guarantees at all.
>

Firstly, HTTP isnt always insecure, it can be, but is not always

Some of the functions in web crypto such as SHA256, or even AES, are useful
over HTTP

Fortunately firefox, at least for now, is less restrictive than chrome in
that respect, so I'm thankful as a developer to be given to opportunity
prototype and test code more freely

I dont understand why it's not a developer switch like CORS is

Received on Wednesday, 10 December 2014 17:29:05 UTC