W3C home > Mailing lists > Public > www-tag@w3.org > February 2015

Re: Considering the pressure to turn HTTPS into a three-party protocol

From: Eric J. Bowman <eric@bisonsystems.net>
Date: Fri, 20 Feb 2015 14:00:21 -0700
To: Noah Mendelsohn <nrm@arcanedomain.com>
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, "www-tag@w3.org List" <www-tag@w3.org>
Message-Id: <20150220140021.fd07d6d57ebe34dea2c9b06f@bisonsystems.net>
Noah Mendelsohn wrote:
> 
> The situation with ISPs violating the specification to me seems very 
> differnt in spirit. ISPs are doing this specifically to interfere
> with the contract between users and resource providers, in exactly
> the situation the specification was written to address.
> 

With Lenovo and Samsung now caught doing MitM HTTPS ad injection, it's
time to stop referring to this as an ISP issue. Or blaming users -- not
opting in, or opting out, fails to remove the Superfish root cert that
came pre-installed on their device. Removing or disabling Superfish
doesn't remove that root cert. I wouldn't begin to know how to remove a
cert from a TV, I'm sure.

Superfish illustrates exactly the point I was trying to make before,
which is I can't make any promises of privacy or security when I'm
subject to the weakest link in the CA chain, i.e. a self-signed root
cert with a well-known password, shipping with who-knows-how-many
systems (we've only heard about Lenovo). Which, when it's put there by
huge multinational device vendors, becomes a much larger problem than
some users getting tricked into opting-in to installing an untrusted
root cert.

Which means hey, yeah, Noah's right -- that does violate the spec, for
good reason that editing the spec won't fix. But there's nothing I can
do about it from the server side.

What's interesting to me, is how this week's revelations have obsoleted
the framing of this debate. The pressure to make HTTPS three-party is
also coming from the likes of Samsung, Lenovo, and Israeli intelligence?

"So ex-surveillance agents, operating in both the private and public
spheres, have ostensibly combined their powers to force ads onto
people's computers, leaving web users open to other forms of attack.
That's startling and frightening for anyone who cares about privacy or
security.

Regardless of the furore that's exploded online since the Lenovo
revelations, and the fascinating history of Pinhas and his firm,
Superfish is still earning a packet. Forbes ranked it 64th in the most
promising American companies of 2015 and reported revenues of $38
million. It pays to be invasive these days."

http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-history-of-malware-and-surveillance/

Not to mention the pressure from the "invisible hand of the market"
which sees "SSL Digestor" as a Good Thing so long as it's profitable
for those companies implementing it for whatever reason. What else is
out there with Komodia's tech, in a way non-obvious to users?

-Eric
Received on Friday, 20 February 2015 21:00:58 UTC

This archive was generated by hypermail 2.3.1 : Friday, 20 February 2015 21:00:59 UTC