- From: Eric J. Bowman <eric@bisonsystems.net>
- Date: Fri, 20 Feb 2015 14:00:21 -0700
- To: Noah Mendelsohn <nrm@arcanedomain.com>
- Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, "www-tag@w3.org List" <www-tag@w3.org>
Noah Mendelsohn wrote: > > The situation with ISPs violating the specification to me seems very > differnt in spirit. ISPs are doing this specifically to interfere > with the contract between users and resource providers, in exactly > the situation the specification was written to address. > With Lenovo and Samsung now caught doing MitM HTTPS ad injection, it's time to stop referring to this as an ISP issue. Or blaming users -- not opting in, or opting out, fails to remove the Superfish root cert that came pre-installed on their device. Removing or disabling Superfish doesn't remove that root cert. I wouldn't begin to know how to remove a cert from a TV, I'm sure. Superfish illustrates exactly the point I was trying to make before, which is I can't make any promises of privacy or security when I'm subject to the weakest link in the CA chain, i.e. a self-signed root cert with a well-known password, shipping with who-knows-how-many systems (we've only heard about Lenovo). Which, when it's put there by huge multinational device vendors, becomes a much larger problem than some users getting tricked into opting-in to installing an untrusted root cert. Which means hey, yeah, Noah's right -- that does violate the spec, for good reason that editing the spec won't fix. But there's nothing I can do about it from the server side. What's interesting to me, is how this week's revelations have obsoleted the framing of this debate. The pressure to make HTTPS three-party is also coming from the likes of Samsung, Lenovo, and Israeli intelligence? "So ex-surveillance agents, operating in both the private and public spheres, have ostensibly combined their powers to force ads onto people's computers, leaving web users open to other forms of attack. That's startling and frightening for anyone who cares about privacy or security. Regardless of the furore that's exploded online since the Lenovo revelations, and the fascinating history of Pinhas and his firm, Superfish is still earning a packet. Forbes ranked it 64th in the most promising American companies of 2015 and reported revenues of $38 million. It pays to be invasive these days." http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-history-of-malware-and-surveillance/ Not to mention the pressure from the "invisible hand of the market" which sees "SSL Digestor" as a Good Thing so long as it's profitable for those companies implementing it for whatever reason. What else is out there with Komodia's tech, in a way non-obvious to users? -Eric
Received on Friday, 20 February 2015 21:00:58 UTC