W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: [blink-dev] Re: Proposal: Marking HTTP As Non-Secure

From: Michael Martinez <michael.martinez@xenite.org>
Date: Thu, 18 Dec 2014 20:36:41 -0500
Message-ID: <54938129.9090007@xenite.org>
To: Donald Stufft <donald.stufft@gmail.com>
CC: Chris Palmer <palmer@google.com>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>, security-dev <security-dev@chromium.org>, mozilla-dev-security@lists.mozilla.org, blink-dev <blink-dev@chromium.org>
I have been asked offlist to stand down for at least a day to let this 
discussion cool down.  And it's obvious that those of you who are 
defending TLS against nothing I have said are tuning out what I am 
trying to say.  This WILL be my last reply even though I know there are 
other responses that really are missing the point.

On 12/18/2014 7:54 PM, Donald Stufft wrote:
> Agreed.  The paper only looks at mobile apps, of which only some were found to be compromised.  But those of you responding with objections are completely missing the point.  Google wants everyone to switch over to using secure protocols and the execution will not only never be perfect, the hackers already have sufficient information about how the SYSTEM works that they are seeking other ways to bypass the security.  All they have to do is insert a rogue proxy somewhere in the middle, and they can do that in a lot of different ways.
> You’re missing a step here, “All they have to do is insert a rogue proxy somewhere in the middle AND either get a certificate incorrectly issued to them (really hard to do) or the client software in question needs to not properly implement TLS. In this as far as anyone is currently aware Chrome (and Mozilla, and all the major browsers) are currently implementing TLS correctly so unless someone finds a bug there (which would be promptly fixed) and the CA vendors are not currently mis-issuing certificates.

This has nothing to do with whether TLS works.  Google brought its 
proposal to flag all non-secure Websites to the security lists.  In 
responding to their proposal I have shown you multiple examples of how 
user privacy is violated in spite of the use of TLS.  It's not that TLS 
doesn't work.  It's that it is being used in a system that is full of holes.

People who use their work networks to browse the Web have to accept that 
their employers have a legal right to monitor their activity; if they 
are in a public wifi spot and they connect to the wrong router, they are 
hosed.  Even in a secure connection the employers and bad guys can still 
see where the packets are going if they control access point.

I don't care how much TLS is improved from this point on (because in the 
end I have to trust my credit card data with the idiot storing that data 
in an unencrypted database that isn't properly firewalled).  I do care 
about whether the security community joins Google's campaign to convert 
the Web to using a protocol that is totally inappropriate in situations 
where no secure data exchange is required.  Sure, I get that a Website 
login can be sniffed in a public wifi spot; that is why hackers use 
methods to bypass TLS protections.

I ask that if you want to respond to me, then respond to my questions.   
Please don't bring up TLS and Chrome again.  That isn't what this is about.

Website owners will want to know why users should not trust their sites 
when they don't ask for or require credit card information. This 
proposal is part of Google's long-term campaign to change the entire 
Web.  They have yet to explain why the Web needs to get off of HTTP.  
The fact a small percentage of people don't want anyone to know what 
sites they browse isn't good enough.

> Indicating that the connection isn’t secure isn’t forcing everyone to use HTTPS. Disabling HTTP access altogether would do that, but nobody is suggesting that. All this proposal really does is have the user agents be honest and ethically inform their users of the properties of their current connection.

It's an act of intimidation.  You may not see it that way but many of the Website owners who have to deal with the implications of lost user trust DO.  And how the victims of intimidation feel is very important in a discussion of the tools being used.

There is nothing ethical in Google's proposal.  It is a dirty, underhanded propaganda tactic that sidesteps a fair and open public discussion with the people who will be most affected.  They are enticing the security community into supporting a sweeping change without fully explaining WHY they want it or why it should even be expected to provide any benefit.

Earlier this year Google disclosed that it was giving a slight boost in its search results to Websites that use HTTPS.  Many marketers immediately began discussing the implications of this algorithmic change but they don't know how to do the math.

If the same boost is applied to every site then the signal washes out in the mix.  But it is a carrot that Google has dangled in front of the donkeys.

They love to dangle carrots.  See those carrots for what they are.  DEMAND A FULL EXPLANATION FROM GOOGLE for why this proposal should be adopted.

Michael Martinez

Received on Friday, 19 December 2014 01:37:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC