- From: Chris Palmer <palmer@google.com>
- Date: Thu, 21 Aug 2014 13:59:33 -0700
- To: "Eduardo' Vela" <evn@google.com>
- Cc: Mark Watson <watsonm@netflix.com>, Jim Manico <jim.manico@owasp.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Aug 20, 2014 at 10:30 AM, Eduardo' Vela" <Nava> <evn@google.com> wrote: > I don't having SSL-only features is good. To get an SSL certificate you need > to pay.. we are essentially forcing developers to pay money to some dubious > organization (every year!) just so that they can use some web features. Note > this isn't the case for DNS nor even an IP (since you can do it in a > university, for example without paying anyone, or in an intranet, or at > home, etc). It's not really a great idea. As I have said before, in another forum: """Unfortunately, secure introduction for peers in a globally-distributed system remains a hard problem, and so we have to make do with a little duct tape (trusted third parties, in this case). We are trying as hard as we can to reduce the amount of trust placed in the third parties, while also finding ways to bolster their trustworthiness. (See e.g. Certificate Transparency.) But, yes, they do perform some work, and $15 is the marginal amount they need to continue operating.""" I think you'll be hard-pressed to find a modern platform for which developers have great power but no responsibility. The costs of code-signing have raced to the bottom. > It might also be worth noting that for some use-cases and setups, SSL > doesn't add any security benefits. I see there is "localhost" and 127/8 to > try and address this concern, but this will never be a complete list, and > will just break sites for users, annoy developers, and introduce dangerous > practices. Can you explain more? What are some realistic public deployment scenarios in which TLS is utterly useless?
Received on Thursday, 21 August 2014 21:00:01 UTC