- From: Brad Hill <hillbrad@gmail.com>
- Date: Mon, 20 Oct 2014 10:00:35 -0700
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Brian Smith <brian@briansmith.org>
Ah, yes, thank's for reminding me of my own pet idea, Mike. :) I was thinking of it something along the lines of "Secure Introduction of Internet-Connected Things". Basic idea is that there are an increasing number of devices in people's homes that host web servers, and there is no really good way to connect to them securely from a browser under existing HTTPS rules. I think it is a bad idea to have users go through the ordinary "untrusted certificate" or "unknown authority" flows in the browser to use these devices, because it trains users to ignore these warnings and puts back pressure on UA authors who want to make these experiences increasingly strict. The idea I was tossing around would be to have some different kind of secure introduction ceremony to replace the untrusted certificate dialog *for hosts on the local network only*. Perhaps something like Bluetooth / WPS pairing, where the user could get a page that tells them this is a locally connected device and they have to enter a pairing code to trust it, with other-than-standard HTTPS UX treatment following, but less strict rules about mixed content blocking, etc. than an untrusted or HTTP connection would receive. There are a number of moving parts involved to get this right: - definitely UI, which the W3C doesn't have a great history in, but perhaps which we can describe the requirements for without prescriptively specifying - thinking about what constitutes a "locally attached network device", how to detect and verify that, and how to manage subsequent accesses over a WAN - some Fetch rules similar to Mixed Content - perhaps a certificate extension to identify these devices On Mon, Oct 20, 2014 at 7:45 AM, Mike West <mkwst@google.com> wrote: > On Sun, Oct 19, 2014 at 10:19 PM, Brad Hill <hillbrad@gmail.com> wrote: >> >> 08:20 - 08:30 TOPIC: [webappsec] Topics for Rechartering >> >> http://lists.w3.org/Archives/Public/public-webappsec/2014Oct/0037.html > > > CSP3. I'd suggest that this work should at least include a Fetch-based > rewrite and a DOM-accessible API. > >> 08:30 - 09:00 TOPIC: AOB > > > * Should we split Mixed Content into a document focusing on "Insecure > content (HTTP) in a secure context (HTTPS)", and another focusing on > "Intranet content in an extranet context"? Brad(?) suggested this at some > point in the past, and the more I think about it, the more it probably makes > sense. +Brian, who has opinions here, I think. > > * CSP2 -> CR? After TPAC, I suppose? > > -mike > > -- > Mike West <mkwst@google.com> > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany > Registergericht und -nummer: Hamburg, HRB 86891 > Sitz der Gesellschaft: Hamburg > Geschäftsführer: Graham Law, Christine Elizabeth Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) >
Received on Monday, 20 October 2014 17:01:06 UTC