- From: Christian Huitema <huitema@huitema.net>
- Date: Sun, 15 Dec 2013 16:30:39 -0800
- To: "'Yoav Nir'" <synp71@live.com>, <ietf-http-wg@w3.org>
-----Original Message----- From: Yoav Nir [mailto:synp71@live.com] Sent: Sunday, December 15, 2013 3:53 AM To: ietf-http-wg@w3.org Subject: Re: Fwd: New Version Notification for draft-nottingham-http2-encryption-02.txt On 15/12/13 9:16 AM, Christian Huitema wrote: >> What that leaves unclear for me is how the current 30-40% of web >> sites that are setup for some form of TLS will suddenly become >> 99%. Without some other action on helping sites get certs, it >> just won't happen would be my prediction. > Either helping sites get certs, or adding support for self-signed certs. Maybe combine self-signed certs and pinning. Maybe use a naming convention, something like "www-selfsigned.example.com." Or maybe www-07FDAE37.example.com, where 07FDAE37 is some identifier of the self-signed cert. If the browsers knew to expect a self-signed cert, they would not have to put up the scary UI when they find one... > > No scary UI means that a MitM or someone who has compromised the DNS can hijack your connection, show a self-signed cert, and get no indication to the user that something is wrong. So (let's use hotmail, because not all examples have to be gmail): http://hotmail.com redirects to https://selfsigned.live.com which has a self-signed certificate, and everything looks fine. Except it's an attacker. They can mitigate this by adding HSTS, or better yet, HPKP. But that is forcing the website to do work just to regain the scary UI. Making pinning a requirement for using self-signed certificates seems backwards, as pinning is dangerous stuff (see all the warnings in the draft) that can easily brick your website. I don't think it's suitable for the 60-70% who can't or won't get a proper certificate. If you can't afford a $10 DV certificate, you can't afford the IT staff to do HPKP safely. Yoav
Received on Monday, 16 December 2013 00:31:35 UTC