- From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
- Date: Thu, 19 Jul 2012 21:27:59 +0200
- To: "Mike Belshe" <mike@belshe.com>
- Cc: "httpbis mailing list" <ietf-http-wg@w3.org>
> Read this article > and then ask yourself if that is really true. > http://www.imperialviolet.org/2012/07/19/hope9talk.html > Mixed modes of sometimes-secure-and-sometimes-not-secure open a slew of > attacks that are only solved if you're all TLS all the time. If someone > has a better solution, let me know; I don't know of one. Sadly that only shows you didn't understand (or chose to misunderstand) the article. What this article actually says is that: 1. in-clear transmission without integrity checks is dangerous (that's a signing property, not a tls property) 2. TLS offers dubious security as it posits users can identify trusted certificates but “Asking regular people to evaluate the validity of X.509 certificates is insane.” (and asking anyone else to do it is putting their security in third-party hands) 3. as soon a you start sourcing elements from third-parties or secondary web sites (regardless if it's in-clear or over tls) your trust model is essentially gone. The only difference between in-clear and tls sourcing is that in one case anyone can mess up with your site, and in the other the breakage is limited to whoever has control of those third-parties. Which quite often is not saying much (but ma, it is sooo convenient to source foreign content) No amount of certificate or tls slapping is going to make something like a planet that federates dozens of blogs, all running on their own (possibly rooted) blog platform, and referencing material from countless other sites, remotely trustable. And that's just an extreme case. Use Firefox with requestpolicy in anal mode a few days and see how few sites render properly by default nowadays. The only situation where TLS makes things “safe” (for dubious values of safe) is when everything on a web site is provided by a single entity, over a single certificate the user is used to and can easily recognize, which happens mostly on big-brother-is-watching-you walled-garden sites ran by a few web heavyweights (in close cooperation with whatever state they happen to be head-quartered in) or on very specialized web sites such as banks (but even banks are foolish enough to mashup their web sites nowadays. We may trust them but should we trust their advertising or geolocation partners?) -- Nicolas Mailhot
Received on Thursday, 19 July 2012 19:28:42 UTC