W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Some reasons why mandating use ofSSL for HTTP is a really bad idea

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 18 Jul 2012 19:12:04 +0200
Cc: "Adrien W. de Croy" <adrien@qbik.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <B83FAEB3-DE6D-4F18-B874-7EAE57AF211C@bblfish.net>
To: Zhong Yu <zhong.j.yu@gmail.com>

On 18 Jul 2012, at 19:01, Zhong Yu wrote:

> On Tue, Jul 17, 2012 at 10:25 PM, Adrien W. de Croy <adrien@qbik.com> wrote:
>> What about the other hundreds of millions of us running web servers.  You
>> gonna buy us our certs?
> Agreed. It's absolutely impractical to mandate officially signed certs
> on every website. That's a huge hurdle for small sites; and all big
> sites started from small sites.

Unless of course you start Deploying IETF DANE, which could make the procurement of
such certs a lot easier, since it just requires placing a public key in DNSsec.


making it easy to install such certs could be the task of a WG. Then one could add
other services to verify that these certificate are not tampered with.

> ---
> Here's a related story that's very interesting. Self signed certs are
> used by the official ticket booking site of Ministry of Railways of
> China. Apparently they want to save a few bucks.
> Customers are asked to download and install an untrusted root cert
> from its website. From average user's point of view, that makes sense
> - if you do more work, that got to increase security, right? Almost
> everybody in China take trains, this root cert must have been
> installed widely.
> http://www.12306.cn
> "To ensure a smooth booking experience, please download and install
> the root certificate"
> http://www.12306.cn/mormhweb/kyfw/question/201204/t20120427_2115.html
> FAQ > Security Alert
> When a user tries to log in, often he/she will see IE security
> warnings ... That's because the user has not imported the root
> certificate shown on the home page ... To navigate the site smoothly,
> simply follow the instructions and import the root certificate.
> the root cert and instructions:
> http://www.12306.cn/mormhweb/ggxxfw/wbyyzj/201106/srca12306.zip
> a cert signed by the root cert
> https://dynamic.12306.cn

Social Web Architect
Received on Wednesday, 18 July 2012 17:12:46 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:03 UTC