W3C home > Mailing lists > Public > public-privacy@w3.org > July to September 2019

Re: Fwd (TAG): Draft finding - "Transitioning the Web to HTTPS"

From: Marc Fawzi <marc.fawzi@gmail.com>
Date: Mon, 26 Aug 2019 18:36:59 -0700
Message-ID: <CACioZiv8xOH_ALLxoPy6s-M161QaoHzY1G-V-x46tn1jbdqhJQ@mail.gmail.com>
To: "Eric J. Bowman" <eric@bisonsystems.net>
Cc: Chris Palmer <palmer@google.com>, Nick Doty <npdoty@w3.org>, David Singer <singer@apple.com>, TAG List <www-tag@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
5 years later, we can now bypass TLS with ALS (application level security)
while dancing around NIST recommended broken security standards in
WebCrypto etc


Enjoy this 5-year delayed response.

On Mon, Feb 23, 2015 at 6:07 AM Marc Fawzi <marc.fawzi@gmail.com> wrote:

> http://zitseng.com/archives/7489
> *Government-Linked Certificate Authorities in OS X (zitseng.com
> <http://zitseng.com>)*
> From the comments on Hacker News:
> "No, if they want to hack your SSL comms, they aren't going to do it by
> using a MITM attack backed by a government-issued root CA, they are going
> to do it by gaining access to a "neutral" CA (such as Verisign), and
> obtaining the root certificate's private key. Now you would have a much
> harder time of figuring out that something has gone wrong, but then, if
> you're paranoid of the government spying on you, and you are using a CA
> other than one you own yourself, you've already lost the battle."
> I agree, no protocol or method can stop a nation state because things
> ultimately come down to physical security.
> But it is more reason to put the breaks on the idea that moving the whole
> web to https is going to make a real difference. I don't think it will.
> Once the users see https as a selective spying mechanism (open for govs,
> closed for petty criminals) they really won't trust the web ever again,
> unless you come up with a new protocol/story and keep evolving it in major
> ways to stay ahead of the inevitable.
> Copying the wisdom below (via another developer):
> *On Derived Values*
> This, milord, is my family's axe. We have owned it for almost nine hundred
> years, see. Of course, sometimes it needed a new blade. And sometimes it
> has required a new handle, new designs on the metalwork, a little
> refreshing of the ornamentation . . . but is this not the nine
> hundred-year-old axe of my family? And because it has changed gently over
> time, it is still a pretty good axe, y'know. Pretty good.
> -- Terry Pratchett, The Fifth Elephant
> On Sun, Feb 22, 2015 at 6:33 PM, Eric J. Bowman <eric@bisonsystems.net>
> wrote:
>> Eric J. Bowman wrote:
>> >
>> > >
>> > > I encourage you to read more about cryptography and cryptographic
>> > > network protocols, and to try your hand at subverting HTTP and HTTPS
>> > > traffic (on your own systems and networks only, of course). I think
>> > > you'll find that the available security guarantees and
>> > > non-guarantees of HTTP and of HTTPS are very different from what
>> > > you have expressed in this thread.
>> > >
>> >
>> > Thanks, but I don't think you've understood what it is I'm trying to
>> > express.
>> >
>> Particularly, Superfish illustrates that the guarantees and non-
>> guarantees of HTTP and HTTPS are *exactly* what I tried to express in
>> this thread.
>> Yes, I know. You're above this list now, or at least until March 30,
>> while you write a book on Web security. Let's just say I'm not pre-
>> ordering.
>> -Eric
Received on Tuesday, 27 August 2019 01:38:01 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:49:38 UTC