- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 4 Feb 2009 00:59:31 +0100
- To: public-bpwg-comments@w3.org
- Cc: François Daoust <fd@w3.org>, Mary-Ellen Zurko <mzurko@us.ibm.com>, W3C WSC Internal <public-wsc-wg@w3.org>
Hi, thanks for your request for advice with respect to the proposed best practices on the use of HTTPS. The Web Security Context Working Group has considered the proposed best practice on a recent conference call. The short version of the advice is "don't do this, it's a bad practice." The longer version: We believe that you mean to recommend token-based authentication schemes (where only an initial login transaction is done through HTTPS, but most interactions are through plain HTTP, with an appropriate token transmitted as a cookie or in some HTTP header) similar to the ones currently in use at large web properties. While there may be situations in which the use of such schemes is justified as the result of a complex trade-off, we oppose a best practice recommending this approach. There are several reasons for this advice: 1. Use of HTTP in such schemes often leaves the asset that should really be protected out in the open: E.g., a webmail service implemented according to this advice might permit an attacker full access to the victim's inbox. 2. When using TLS, there is no reason to repeat the initial public key handshake for every single HTTP request: The resource-intensive piece of the protocol occurs when the TLS handshake is first executed (e.g., when accessing the login page); future HTTP requests only require cheap symmetric key operations. 3. The practice described is particularly bad in the case of applications targeted at mobile use: Mobile devices are increasingly used to access the Web through whatever Wireless LAN might be available. There is no reason to trust these networks; indeed, there is hardly a situation with a higher exposure to network attacks than an untrusted Wireless LAN environment. Therefore, the Best Practices document should call out the overall risk profile, and *encourage* use of TLS. 4. We note that your specification seems to aim at relatively complex Web Applications, which implies a high likelihood that powerful mobile devices will be used with these applications. That implies both an even higher likelihood for the use of W-LAN, and a comparably low likelihood that resource constraints will indeed be seriously affected by the use of TLS. On behalf of the Web Security Context WG, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Tuesday, 3 February 2009 23:59:43 UTC