Re: Proposal: Marking HTTP As Non-Secure

On 12/18/2014 7:14 PM, Donald Stufft wrote:
> I'm not going to sit here and do the research that you should already be doing for yourself, but here is one link that explains how some smart phone apps were compromised.  It's disturbing to see that people working on security protocols are not aware of articles that have appeared on security blogs, in news media, and on university Websites.
>
> A Study of SSL Proxy Attacks on Android and iOS Mobile Applications
> http://harvey.binghamton.edu/~ychen/CCNC2014_SSL_Attacks.pdf
>
> This is only one example.
> A skim of this shows that this is about mobile apps not correctly verifying TLS and has nothing to do with whether TLS as a protocol is broken. Probably you should learn how TLS actually works and read the papers you are linking before making extraordinary claims.

This is not about how TLS works.  This is about whether Google's 
proposal to convert the entire Web into using HTTPS protocol is going to 
magically protect users' privacy against compromise.  The bad guys are 
looking for vulnerabilities in everything and they are finding those 
vulnerabilities.  They don't have to crack TLS.  They only have to 
bypass it.

The details of the security protocols are only one part of the picture.

It doesn't matter if one part of the system works as expected if other 
parts are not.  Google is trying to force everyone to use TLS when it 
can still be bypassed.  That is not a good approach because it creates 
burdens for millions of websites that have no benefit for anyone, 
visitors or site owners.  Only the companies that sell security features 
will benefit.


-- 
Michael Martinez
http://www.michael-martinez.com/

YOU CAN HELP OUR WOUNDED WARRIORS
http://www.woundedwarriorproject.org/

Received on Friday, 19 December 2014 00:37:17 UTC