WSC WG comment on proposed HTTPS best practice [mobile web apps best practices] from Thomas Roessler on 2009-02-03 (public-bpwg-comments@w3.org from January to March 2009)

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 4 Feb 2009 00:59:31 +0100
To: public-bpwg-comments@w3.org
Cc: François Daoust <fd@w3.org>, Mary-Ellen Zurko <mzurko@us.ibm.com>, W3C WSC Internal <public-wsc-wg@w3.org>
Message-Id: <5928402F-BE10-4B72-A07A-5591DE1098CB@w3.org>

Hi,

thanks for your request for advice with respect to the proposed best  
practices on the use of HTTPS.  The Web Security Context Working Group  
has considered the proposed best practice on a recent conference call.

The short version of the advice is "don't do this, it's a bad practice."

The longer version:  We believe that you mean to recommend token-based  
authentication schemes (where only an initial login transaction is  
done through HTTPS, but most interactions are through plain HTTP, with  
an appropriate token transmitted as a cookie or in some HTTP header)  
similar to the ones currently in use at large web properties.  While  
there may be situations in which the use of such schemes is justified  
as the result of a complex trade-off, we oppose a best practice  
recommending this approach.  There are several reasons for this advice:

1. Use of HTTP in such schemes often leaves the asset that should  
really be protected out in the open:  E.g., a webmail service  
implemented according to this advice might permit an attacker full  
access to the victim's inbox.

2. When using TLS, there is no reason to repeat the initial public key  
handshake for every single HTTP request:  The resource-intensive piece  
of the protocol occurs when the TLS handshake is first executed (e.g.,  
when accessing the login page); future HTTP requests only require  
cheap symmetric key operations.

3. The practice described is particularly bad in the case of  
applications targeted at mobile use:  Mobile devices are increasingly  
used to access the Web through whatever Wireless LAN might be  
available.  There is no reason to trust these networks; indeed, there  
is hardly a situation with a higher exposure to network attacks than  
an untrusted Wireless LAN environment.  Therefore, the Best Practices  
document should call out the overall risk profile, and *encourage* use  
of TLS.

4. We note that your specification seems to aim at relatively complex  
Web Applications, which implies a high likelihood that powerful mobile  
devices will be used with these applications.  That implies both an  
even higher likelihood for the use of W-LAN, and a comparably low  
likelihood that resource constraints will indeed be seriously affected  
by the use of TLS.

On behalf of the Web Security Context WG,
--
Thomas Roessler, W3C  <tlr@w3.org>

Received on Tuesday, 3 February 2009 23:59:43 UTC