Re: Reasonable proposal for migrating to 2.0

On Sun, Nov 17, 2013 at 09:57:22PM +0000, Poul-Henning Kamp wrote:
> In message <20131117204928.GA18577@1wt.eu>, Willy Tarreau writes:
> 
> >1) browser: make the root and/or cert issuer on HTTPS sites for the main
> >   page visible all the time, just like the page's title is currently
> >   visible (add it next to the title or at the bottom ?)
> 
> That could work for open-source browsers.  For closed source browsers
> of US origin, there's no telling what they can or will tell the user
> or what relationship that might have with the truth.

You can say the same about their TLS libs anyway, so that's not an
issue we can cover using a protocol.

> >2) protocol: add a new "httpe://" scheme
> 
> Anything which tries to add another scheme is going to be serious
> uphill work, so it had better be for a reason which amounts to
> more than some cryptographic mumbo-jumbo 99.9% of webmasters
> are not entirely sure what means.

Note I'm not talking about sites, but more the rare use cases where
we currentl expect a self-signed cert to be OK (basically your WiFi
router's setup page, or for developers to test HTTP/2 without having
to request a cert for each host:port combination they work on).

> I don't think your idea clears that hurdle.
> 
> I think it is a better idea to just stick with "https:" and leave
> it to the server side to negotiate as much security as they want,
> and hope that user-agents faithfully indicates this to the user.
> 
> >3) browser: get rid of the ability to bypass the cert error for HTTPS
> >   (except maybe for developers using a config option). 
> 
> See above.
> 
> At least 50% of the pervassive surveillance problem is software we
> cannot trust on the client side.

I dont think it's that high if we're talking about surveillance. If
we're talking about information leaks, it might be much higher however.

Willy

Received on Sunday, 17 November 2013 22:51:27 UTC