Re: [W3C Web Security IG] moving the web to HTTPS is currenlty discussd in TAG

On Dec 10, 2014, at 5:11 PM, Mark Nottingham <mnot@mnot.net> wrote:
>> On 11 Dec 2014, at 5:26 am, Hannes Tschofenig <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
>> 
>> It is a good idea to build on the earlier IAB announcement with regard
>> to security of the Web.
>> 
>> I read through the document and I like it.
> 
> Thanks.

+1. Thanks for doing this, Mark.

>> Only three comments/questions:
>> 
>> 1) I was hoping to read that a strong incentive for using HTTPS is to
>> secure the distribution of code, which is uses more an more. (Code =
>> JavaScript).
> 
> That's implied here:
> 
> """
> Furthermore, security on the Web has proven to be quite subtle. If an attacker can modify content in transit, the power of the Web platform we are defining can easily be turned against the user (or the site they are using).
> """
> 
> Happy to make that more explicit.

I think it is worth being more explicit on this point. In many of the discussions that have taken place about accessing APIs over secure origins, we have sometimes been hazy about whether we’re concerned about integrity, confidentiality or both. I think we should recognize the limitations (given traffic analysis attacks that are likely to be effective for some time at the Web level) of HTTPS on providing confidentiality for all kinds of Web traffic. And at the same time, integrity of JavaScript code and API access maintains confidentiality with regard to device sensors and other information.

Related: does the TAG want to take any position in this finding on other approaches for code integrity, like the subresource integrity proposals (that I believe are currently stalled)?

Just my two cents,
Nick

Received on Thursday, 11 December 2014 01:27:48 UTC