Re: [blink-dev] Re: Proposal: Marking HTTP As Non-Secure from Michael Martinez on 2014-12-19 (public-webappsec@w3.org from December 2014)

From: Michael Martinez <michael.martinez@xenite.org>
Date: Thu, 18 Dec 2014 19:44:32 -0500
To: Chris Palmer <palmer@google.com>
CC: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>, security-dev <security-dev@chromium.org>, mozilla-dev-security@lists.mozilla.org, blink-dev <blink-dev@chromium.org>
Message-ID: <549374F0.6040802@xenite.org>

On 12/18/2014 7:17 PM, Chris Palmer wrote:
> On Thu, Dec 18, 2014 at 4:08 PM, Michael Martinez
> <michael.martinez@xenite.org> wrote:
>
>> A Study of SSL Proxy Attacks on Android and iOS Mobile Applications
>> http://harvey.binghamton.edu/~ychen/CCNC2014_SSL_Attacks.pdf
> That paper describes bugs in the certificate validation procedures *of
> specific clients*. (Note that the authors call out the fact that the
> clients in question are *not* browsers.)

Agreed.  The paper only looks at mobile apps, of which only some were 
found to be compromised.  But those of you responding with objections 
are completely missing the point.  Google wants everyone to switch over 
to using secure protocols and the execution will not only never be 
perfect, the hackers already have sufficient information about how the 
SYSTEM works that they are seeking other ways to bypass the security.  
All they have to do is insert a rogue proxy somewhere in the middle, and 
they can do that in a lot of different ways.

If the browser detects a problem with the certificate, great, the user 
gets a warning (and about half of all users ignore them according to 
some research).  On the other hand, when the legitimate 
certficate-serving resources are compromised, then what?

Google proposes that everyone use HTTPS, even when they are not 
collecting data from end-users.  This will only result in more Websites 
being improperly flagged for poor execution.  And how does that protect 
anyone from what is actually being done to steal user data at the access 
point?

We don't need to find bugs in Chrome to ask why it's necessary to force 
everyone to use HTTPS.  What we need is a valid argument for why 
everyone should do that.

Access point security is not all about who is sniffing unsecure 
connections, so forcing us to use only secure connections on the pretext 
that it makes us all safer just doesn't work as an argument in favor of 
Google's proposal.

-- 
Michael Martinez
http://www.michael-martinez.com/

YOU CAN HELP OUR WOUNDED WARRIORS
http://www.woundedwarriorproject.org/

Received on Friday, 19 December 2014 00:45:02 UTC