W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Private Devices and IoT (was Proposal: Marking HTTP As Non-Secure)

From: Jeffrey Walton <noloader@gmail.com>
Date: Sun, 22 Feb 2015 13:35:41 -0500
Message-ID: <CAH8yC8kkW_QmNWazbRhcOvXR6APN-XtDtJamHyXYQ2zuws+YJw@mail.gmail.com>
To: Chris Palmer <palmer@google.com>
Cc: security-dev <security-dev@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
Hi Chris,

Sorry to dig up an old thread.

> Yes, I agree this is a problem. I am hoping to publish a proposal for
> how UAs can authenticate private devices soon (in January probably).

Were you able to publish something? I wanted to read more about what
directions the solutions are moving towards.

This just made my radar:
http://blog.kaspersky.com/internet-of-crappy-things/, and I was
wondering how much has been addressed and how much is hyperbole.

Thanks in advance.

Jeff

On Thu, Dec 18, 2014 at 2:33 PM, Chris Palmer <palmer@google.com> wrote:
> On Thu, Dec 18, 2014 at 9:52 AM, jstriegel via blink-dev
> <blink-dev@chromium.org> wrote:
>
>> I'd like to propose consideration of a fourth category:
>> Personal Devices (home routers, printers, IoT, raspberry pis in classrooms, refrigerators):
>>  - cannot, by nature, participate in DNS and CA systems
>>  - likely on private network block
>>  - user is the owner of the service, hence can trust self rather than CA
>>
>> Suggested use:
>>  - IoT devices generate unique, self-signed cert
>>  - Friendlier interstitial (Ie. "Is this a device you recognize?") for self-signed connections on *.local, 192.168.*, 10.*, or on same local network as browser.
>>  - user approves use on first https connection
>>  - browser remembers (device is promoted to "secure" status)
>>
>> A lot of IoT use cases could benefit from direct connection (not requiring a cloud service as secure data proxy), but this currently gives the scariest of Chrome warnings. This is probably why the average home router or firewall is administered over http.
>
> Yes, I agree this is a problem. I am hoping to publish a proposal for
> how UAs can authenticate private devices soon (in January probably).
>
> A key goal is not having to ask the user "Is this a device you
> recognize?" — I think we can get the UX flow even simpler, and still
> be strong. Watch this space...
>
Received on Sunday, 22 February 2015 18:36:08 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC