W3C home > Mailing lists > Public > public-privacy@w3.org > January to March 2015

Re: Fwd (TAG): Draft finding - "Transitioning the Web to HTTPS"

From: Marc Fawzi <marc.fawzi@gmail.com>
Date: Mon, 23 Feb 2015 06:07:47 -0800
Message-ID: <CACioZis7Y8s5yH7oQpoFrwTn2w+wTQqJzYEWQN_=Cvq=4vx4Vw@mail.gmail.com>
To: "Eric J. Bowman" <eric@bisonsystems.net>
Cc: Chris Palmer <palmer@google.com>, Nick Doty <npdoty@w3.org>, David Singer <singer@apple.com>, TAG List <www-tag@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
http://zitseng.com/archives/7489

*Government-Linked Certificate Authorities in OS X (zitseng.com
<http://zitseng.com>)*

>From the comments on Hacker News:

"No, if they want to hack your SSL comms, they aren't going to do it by
using a MITM attack backed by a government-issued root CA, they are going
to do it by gaining access to a "neutral" CA (such as Verisign), and
obtaining the root certificate's private key. Now you would have a much
harder time of figuring out that something has gone wrong, but then, if
you're paranoid of the government spying on you, and you are using a CA
other than one you own yourself, you've already lost the battle."

I agree, no protocol or method can stop a nation state because things
ultimately come down to physical security.

But it is more reason to put the breaks on the idea that moving the whole
web to https is going to make a real difference. I don't think it will.
Once the users see https as a selective spying mechanism (open for govs,
closed for petty criminals) they really won't trust the web ever again,
unless you come up with a new protocol/story and keep evolving it in major
ways to stay ahead of the inevitable.

Copying the wisdom below (via another developer):

*On Derived Values*

This, milord, is my family's axe. We have owned it for almost nine hundred
years, see. Of course, sometimes it needed a new blade. And sometimes it
has required a new handle, new designs on the metalwork, a little
refreshing of the ornamentation . . . but is this not the nine
hundred-year-old axe of my family? And because it has changed gently over
time, it is still a pretty good axe, y'know. Pretty good.

-- Terry Pratchett, The Fifth Elephant

On Sun, Feb 22, 2015 at 6:33 PM, Eric J. Bowman <eric@bisonsystems.net>
wrote:

> Eric J. Bowman wrote:
> >
> > >
> > > I encourage you to read more about cryptography and cryptographic
> > > network protocols, and to try your hand at subverting HTTP and HTTPS
> > > traffic (on your own systems and networks only, of course). I think
> > > you'll find that the available security guarantees and
> > > non-guarantees of HTTP and of HTTPS are very different from what
> > > you have expressed in this thread.
> > >
> >
> > Thanks, but I don't think you've understood what it is I'm trying to
> > express.
> >
>
> Particularly, Superfish illustrates that the guarantees and non-
> guarantees of HTTP and HTTPS are *exactly* what I tried to express in
> this thread.
>
> Yes, I know. You're above this list now, or at least until March 30,
> while you write a book on Web security. Let's just say I'm not pre-
> ordering.
>
> -Eric
>
>
Received on Monday, 23 February 2015 14:08:57 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 February 2015 14:08:58 UTC