W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Donald Stufft <donald.stufft@gmail.com>
Date: Mon, 22 Dec 2014 09:44:37 -0500
Cc: michael.martinez@xenite.org, blink-dev@chromium.org, public-webappsec@w3.org, mozilla-dev-security@lists.mozilla.org, security-dev@chromium.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Message-Id: <0BF2EAFA-C8E7-4E8E-8252-0A3E14E19352@gmail.com>
To: ianG <iang@iang.org>

> On Dec 22, 2014, at 9:12 AM, ianG <iang@iang.org> wrote:
> On 19/12/2014 00:14 am, Donald Stufft wrote:
>>> On Dec 18, 2014, at 7:08 PM, Michael Martinez <michael.martinez@xenite.org> wrote:
> ...
>>> A Study of SSL Proxy Attacks on Android and iOS Mobile Applications
>>> http://harvey.binghamton.edu/~ychen/CCNC2014_SSL_Attacks.pdf
>>> This is only one example.
>> A skim of this shows that this is about mobile apps not correctly verifying TLS and has nothing to do with whether TLS as a protocol is broken. Probably you should learn how TLS actually works and read the papers you are linking before making extraordinary claims.
> Donald, you guys are talking past each other.  It's pretty darn obvious that MM is talking about secure browsing.  You are talking about TLS.
> MM is approximately right in what he says -- to a user, the "claims" made by TLS are vague and uncertain, not reliable enough.  It matters not that you might understand how TLS works, or he understands, or he precisely pinpoints the breach.  What matters is whether that information reaches and leaves the user in a form which is sufficiently reliable and secure.
> MM believes approximately that it doesn't, and that approximate belief no matter how nuanced is actually a better representation of the user's beliefs than the PKI industry talk that assumes that if TLS is working then browsing is secure.  Studying more TLS won't change that because it's already missed the mark;  and continuing to pound the desk about "TLS securing the connection" is irrelevant because that is not secure browsing, and users can't tell the difference.

I donít really care what you call it, the simple fact is the actual *attacks* that are being described do not apply to the browsers and they rely on the client not implementing TLS validation. 

Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
Received on Monday, 22 December 2014 14:45:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC