Re: Fwd (TAG): Draft finding - "Transitioning the Web to HTTPS" from David Singer on 2014-12-19 (www-tag@w3.org from December 2014)

From: David Singer <singer@apple.com>
Date: Fri, 19 Dec 2014 12:25:17 -0800
To: TAG List <www-tag@w3.org>
Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-id: <7E6DAE8E-FBD4-4E64-BEE0-690F51A53C75@apple.com>

A few comments, all minor:

1) "We recognize that HTTPS will not solve all — or even many — security problems”

I hope it solves *many* problems; maybe it doesn’t solve “most” problems? If it only solves *few* problems, is it worth doing?

2) I really think that this paragraph needs considerable more text:

"We recognize that as this policy is implemented, it will further reduce the utility of shared HTTP caches -- a trend started by the transition of many popular Web sites to HTTPS (and thus, loss of a high proportion of cache hits). This is an unfortunate outcome, and we should continue to examine how efficiency can be gained without compromising security.”

As I think many fear that if they go to HTTPS their users’ perceived performance will go to hell.  Since we have a CDN employee on the Tag, I expect that they can say more :-)

3) We had an interesting offline discussion at the privacy workshop on “imagine if every router on the internet did NAT”.  This means that the ability to trace people by IP address would be curtailed: people often don’t both to reduce fingerprinting because the source IP address has already ‘given the game away'. It’s an interesting thought experiment, but its impact on security might be negative.  (And there are many other problems, notably pper-peer connections for things like telephony.)

Maybe worth a paragraph?

4) A discussion of the point from web-sites “look, all my content is public, I have nothing to hide and hence nothing to secure” maybe needs addressing?  (“You may not, but you are exposing your customers/visitors by insisting on plain HTTP.”)

> On Dec 9, 2014, at 8:10 , Wendy Seltzer <wseltzer@w3.org> wrote:
> 
> Nice new work in the TAG. I commented on one of the privacy benefits in
> the TAG thread http://lists.w3.org/Archives/Public/www-tag/2014Dec/0030.html
> and encourage PING to take a look at the draft:
> 
> -------- Forwarded Message --------
> Subject: Draft finding - "Transitioning the Web to HTTPS"
> Resent-Date: Mon, 08 Dec 2014 23:29:30 +0000
> Resent-From: www-tag@w3.org
> Date: Tue, 9 Dec 2014 10:28:58 +1100
> From: Mark Nottingham <mnot@mnot.net>
> To: www-tag@w3.org List <www-tag@w3.org>
> 
> We've started work on a new Finding, to a) serve as a Web version of the
> IAB statement, and b) support the work on Secure Origins in WebAppSec.
> 
> See: <https://w3ctag.github.io/web-https/>
> 
> Repo w/ issues list at <https://github.com/w3ctag/web-https>.
> 
> Cheers,
> 
> 
> --
> Mark Nottingham   https://www.mnot.net/
> 
> 
> 
> 
> 
> 

David Singer
Manager, Software Standards, Apple Inc.

Received on Friday, 19 December 2014 20:26:15 UTC