W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: "Secure Introduction of Internet-Connected Things" (was Re: [webappsec] Agenda for MONDAY Teleconference 2014-10-20, 12:00 PDT)

From: Chris Palmer <palmer@google.com>
Date: Wed, 22 Oct 2014 11:01:32 -0700
Message-ID: <CAOuvq23EN870hao1i9N4VstNPXB-ODq=O3CncBh4SsgDc99cXQ@mail.gmail.com>
To: David Rogers <david.rogers@copperhorse.co.uk>
Cc: noloader@gmail.com, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Oct 22, 2014 at 2:30 AM, David Rogers
<david.rogers@copperhorse.co.uk> wrote:

> ...ok. Back in the real world - what you really need is to be able to have a mechanism to reliably identify the device and therefore be able to take a decision on whether it is insecure for whatever reason. Abandonment is going to happen anyway (I've seen plenty of open source projects abandoned too!). If it is critically insecure there are effective mechanisms that have worked in the browser world (for example blocking IE6 on websites) to stop it accessing the internet and that change user behaviour in a good way.

Yeah, about IE 6 (and Windows XP < SP3)... those are great examples of
things that should have gone away a long time ago, and support the
argument in favor of device self-euthanasia. Precisely because we are
saddled with them, we can't move forward: no SNI, no SHA-256 for
certificate signatures... Not that it matters, since Microsoft has not
been patching (or even able to patch) many, many vulnerabilities in a
product that old. (Many patches make it into >= 7, or even >=8, only.
And I don't blame MS one bit for that.)

Even just dropping all support for SSL v3 (now fully, entirely dead)
and RC4 is not a decision that a sane person takes lightly. And those
things are older than IE6!

> Having some sort of suicide pill for a device is dangerous from a security perspective and isn't acceptable for purchasers.

Enjoy your RC4 in 2025, then. :)

Look, we all agree that self-euthanasia (or, less drastically,
self-capability-reduction) is not ideal. But the alternative is a
commitment to fully support devices for 10+ years. I'd love it if
everyone did that.
Received on Wednesday, 22 October 2014 18:01:59 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC