[Bug 25972] Please require a secure origin from bugzilla@jessica.w3.org on 2014-10-22 (public-webcrypto@w3.org from October 2014)

From: <bugzilla@jessica.w3.org>
Date: Wed, 22 Oct 2014 18:40:51 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25972-7213-RUrGbtR14k@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=25972

--- Comment #19 from Ryan Sleevi <sleevi@google.com> ---
(In reply to Ehsan Akhgari [:ehsan] from comment #18)
> > For 2, the issue is not and has never been about "promoting TLS" as an
> > ideological point.
> 
> FWIW that is not what I was suggesting at all, and I don't believe you're
> arguing for that either.

Correct, but it was indeed mentioned in the Firefox post - "As for making new
features unavailable without TLS in order to promote the use of TLS,"

> IOW, it seems to me that restricting the exposure of this API to secure
> origins doesn't actually accomplish what you're going for here.

No, I felt that I did address this, but since you missed it, I'll try
restating. The goal is to be secure by default, which we believe there to be a
>0 value. Mark's analysis is one we fundamentally disagree with, and so I'm not
going to spend much time trying to explain why it's a poor security model.

Yes, it's correct that one can do a lot of things to smuggle the information
across origin. However, that can equally be said of other web platform features
- from geolocation to microphone access. That is, two origins, acting in
concerted effort, can compromise or undermine many security boundaries that UAs
interact. That doesn't mean there isn't value in recognizing or attempting to
make such separations, however, and they provide value.

Consider geolocation, which is granted on a per-origin basis. Nothing prevents
there being an evil.com site, which accesses the user's location, and allows
any arbitrary origin to iframe it and inquire as to the user's location. The
user will never know that anotherevilsite.com or hostile.com also have access
to the users location (by way of iframing). Yet we still recognize there being
value in per-origin prompts.

> 
> It's true that shipping something later is easier than unshipping something,
> but there's also the interoperability concern, which I think is reason
> enough to try to come to an agreement before shipping incompatible
> implementations, as Boris already suggested.

Agreed. Which is why we're encouraging Firefox to adopt conversatism, so that
secure by default can still be attainable.

That said, we believe the security risks are real enough, and examples such as
those provided by the WG members are so demonstrably and clearly insecure, that
the value of encouraging secure by default outweighs the interoperability
concern.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Wednesday, 22 October 2014 18:40:53 UTC