- From: Michael Martinez <michael.martinez@xenite.org>
- Date: Thu, 18 Dec 2014 19:36:49 -0500
- To: public-webappsec@w3.org, security-dev@chromium.org, mozilla-dev-security@lists.mozilla.org, blink-dev@chromium.org
On 12/18/2014 7:14 PM, Donald Stufft wrote: > I'm not going to sit here and do the research that you should already be doing for yourself, but here is one link that explains how some smart phone apps were compromised. It's disturbing to see that people working on security protocols are not aware of articles that have appeared on security blogs, in news media, and on university Websites. > > A Study of SSL Proxy Attacks on Android and iOS Mobile Applications > http://harvey.binghamton.edu/~ychen/CCNC2014_SSL_Attacks.pdf > > This is only one example. > A skim of this shows that this is about mobile apps not correctly verifying TLS and has nothing to do with whether TLS as a protocol is broken. Probably you should learn how TLS actually works and read the papers you are linking before making extraordinary claims. This is not about how TLS works. This is about whether Google's proposal to convert the entire Web into using HTTPS protocol is going to magically protect users' privacy against compromise. The bad guys are looking for vulnerabilities in everything and they are finding those vulnerabilities. They don't have to crack TLS. They only have to bypass it. The details of the security protocols are only one part of the picture. It doesn't matter if one part of the system works as expected if other parts are not. Google is trying to force everyone to use TLS when it can still be bypassed. That is not a good approach because it creates burdens for millions of websites that have no benefit for anyone, visitors or site owners. Only the companies that sell security features will benefit. -- Michael Martinez http://www.michael-martinez.com/ YOU CAN HELP OUR WOUNDED WARRIORS http://www.woundedwarriorproject.org/
Received on Friday, 19 December 2014 00:37:17 UTC