W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

RE: [blink-dev] Proposal: Marking HTTP As Non-Secure

From: Domenic Denicola <d@domenic.me>
Date: Fri, 19 Dec 2014 17:15:17 +0000
To: Dominick Marciano <dominickmarciano@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, "blink-dev@chromium.org" <blink-dev@chromium.org>, "security-dev@chromium.org" <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
Message-ID: <CY1PR0501MB1369A7B04246D630D87CB5E2DF6B0@CY1PR0501MB1369.namprd05.prod.outlook.com>
From: blink-dev@chromium.org [mailto:blink-dev@chromium.org] On Behalf Of Dominick Marciano

> If users are on sites that are transmitting any personally identifiable information, such as geo-location information, name, address, telephone, etc., to a non-secure site that the user should definitely be informed.  However there are also plenty of cases where a site may not employ HTTPS that the user does not necessarily need to be notified about.  Good examples of this may be news sites, blogs, etc., where a user does not need to login or provide any other information.

I see this misconception a lot, that you don't need HTTPS for sites which the user doesn't interact with in some "sensitive" way. This is just false.

For example, if http://example-company.com is transmitted over HTTP instead of HTTPS, any network attacker can modify the page to insert inaccurate, misleading, and harmful statements about Example Company's products, leadership, plans, or stock price.

Similarly, if http://example-news.com or http://example-blog.com is transmitted over HTTP instead of HTTPS, any network attacker can modify the news to insert false news, opinions, product reviews, or advertisements.

Finally, in all cases, network attackers can use the insecure connection to insert additional tracking, advertising, and privacy-invading devices into the page, as well as simply track the traffic flow itself (without any modifications).

And in all cases, "network attacker" does not mean someone is out to get you. It means you are sitting in a public wifi hotspot and someone is running a broad program to modify the traffic of all users, or you are using an ISP with less-than-stellar morals, or you are subject to government surveillance by virtue of e.g. living in the USA. If a user is using the free wifi at a coffee-shop inside a bookstore, users should be told that the prices on Amazon.com might be artificially jacked up by virtue of network traffic modification. If users are using the free WiFi inside Airline X's terminal, they should be told that if Airline Y serves their page over HTTP, the 404s they might be getting trying to book flights over on that site might not be entirely legitimate. Etc.

In all cases the user has no way of telling that the attacker modified the connection. Thus, it seems very wise to be honest with the user, and tell them that the connection is insecure and that nothing they see on the page can be trusted.

Received on Friday, 19 December 2014 17:15:48 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC