W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Marc Fawzi <marc.fawzi@gmail.com>
Date: Fri, 12 Dec 2014 12:48:38 -0800
Message-Id: <56A16966-FB34-4D8C-AE5F-97B2179F318B@gmail.com>
Cc: Mark Watson <watsonm@netflix.com>, Domenic Denicola <d@domenic.me>, "Eric J. Bowman" <eric@bisonsystems.net>, Chris Palmer <palmer@google.com>, Mark Nottingham <mnot@mnot.net>, "www-tag@w3.org List" <www-tag@w3.org>
To: Melvin Carvalho <melvincarvalho@gmail.com>
To your off topic point; Web Crypto is very powerful but things always get a little complicated when security is involved. For example, the key info can be stored but it's outside the browser context so can't use local storage (for obvious reason) 

Sent from my iPhone

> On Dec 12, 2014, at 10:45 AM, Melvin Carvalho <melvincarvalho@gmail.com> wrote:
> 
> 
> 
>> On 10 December 2014 at 18:26, Mark Watson <watsonm@netflix.com> wrote:
>> 
>> 
>>> On Wed, Dec 10, 2014 at 9:18 AM, Domenic Denicola <d@domenic.me> wrote:
>>> 
>>> Nope, web crypto needs a secure transport to make any sense at all. It's a bootstrapping problem. If you're on an insecure channel (whether HTTP or employer-MITMed HTTPS), web crypto provides no guarantees at all.
>> 
>> ‚ÄčThis is a side issue that we should not rathole on, but the reason the WebCrypto Working Group declined to restrict WebCrypto to secure origins was that there are some *limited* things that can be obtained with WebCrypto even for HTTP sites. For example, confidentiality against passive monitoring. The counter-argument is that such things are of no utility, but that is a use-case-dependent judgement call, rather than a technical issue.
> 
> +1
> 
> <offtopic>
> 
> Web crypto has limited use.  I've come to the conclusion that localStorage + polyfill will meet needs.
> 
> </offtopic>
>  
>> 
>> ...Mark
> 
Received on Friday, 12 December 2014 20:49:13 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:33:27 UTC