- From: Ryan Sleevi <rsleevi@chromium.org>
- Date: Fri, 19 Dec 2014 20:10:33 -0800
- To: Michael Martinez <michael.martinez@xenite.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>, mozilla-dev-security@lists.mozilla.org
- Message-ID: <CACvaWvYFRKHNTDDaTZ6uW9Rxu7tfwhWWN8gCwm_KDG7=piCmQQ@mail.gmail.com>
On Fri, Dec 19, 2014 at 7:32 PM, Michael Martinez < michael.martinez@xenite.org> wrote: > On 12/19/2014 8:33 PM, Donald Stufft wrote: > >> So how is marking some Websites as "non-secure" (they all are) improving >> the situation? Shaming Website owners for not using encrypted connections, >> especially when your only concern is that you don't want some random >> stranger to see that you are reading a blog, is not acceptable. >> I think you’re fundamentally confused, I do not believe that anyone who >> is making this proposal is trying to force site operators to use HTTPS. >> > > Then I suggest you go back and reread the other posts from people who have > said exactly that. > > It is precisely this kind of inattention to what is actually being said > that keeps resetting this conversation. > > I am very ill right now and I don't have the energy for further > discussion. I hope that the people who need to consider these things see > past the needless nit-pickery and think about the big picture. You won't > be able to undo the damage this proposal will do, if it is carried out, > even if that turns out to be less than some of us fear. > It is not needlessly nitpicky. You've made several claims that range from demonstrably inaccurate to factually incorrect. When pressed for details, either you shift the topic to something unrelated or you claim it's not your responsibility to provide those details. When presented with evidence counter to your claim, you ignore it. You'd be surprised by the number of people making a good faith effort to give you both the benefit of the doubt and to patiently explain to you why you're either misunderstanding the issues at play or downright wrong. You've confused ARP poisoning with certificate compromise. You've proposed TLS in everything but name, yet argued against TLS. You've conflated "want the world to move to HTTPS" with "force the world to move to HTTPS", when multiple people - the original poster, people from the same organization, and people from different browsers - all pointing out that the two are not the same. Quothe the original proposal ( https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/qTm0E376lswJ ) "We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure." Echo'd again - https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/cKBImJOUrEcJ "HTTPS is the bare minimum requirement for secure web application *transport*. Is secure transport by itself sufficient to achieve total *application-semantic* security? No. But a browser couldn't determine that level of security anyway. Our goal is for the browser to tell as much of the truth as it can programatically determine at run-time." And again - https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/vgfv-e6A21MJ "(a) Users are currently habituated to treat non-secure transport as OK. The status quo is terrible. (b) What Peter Kasting said: we propose a passive indicator, not a pop-up or interstitial. " "Again, it's a passive indicator;" More importantly, you've continued to make claims without supporting evidence. This has been explained by https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/zWkvtQ7HpB4J and https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/FlyAPvETiwMJ and https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/n3DGBTbdyiMJ and https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/sHWde0wF7akJ While all feedback is appreciated to some level, you seem to be frustrated by the lack of attention being posed to your points. You've gone as far as to insult the intelligence of those replying in https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/sfs-2A1P7rUJ . However, I'd like to again point out (as several have already patiently done so) that you've effectively ignored every single question posed to you, instead turned out to be rather dismissive and rude. I think we're very aware of the big picture here, and have tried patiently to explain it and to allay your misplaced fears that seem to be based on honest and genuine misunderstanding. However, in the absence of reasonable and rationale discourse, and the absence of new information, perhaps it's best to have had your say for now. In the big picture, continuing to use unauthenticated, non-confidential transports that anyone can modify while presenting them as acceptable and secure is downright dishonest - something the original post explained with a number of examples - https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/qTm0E376lswJ .
Received on Saturday, 20 December 2014 04:11:00 UTC