- From: Thomas Roessler <tlr@w3.org>
- Date: Mon, 2 Feb 2009 17:46:35 +0100
- To: Thomas Roessler <tlr@w3.org>
- Cc: W3C WSC Internal <public-wsc-wg@w3.org>
From the comments so far, I don't think any changes are needed before this goes out as an official comment. If you believe otherwise, please say so by EOB tomorrow. -- Thomas Roessler, W3C <tlr@w3.org> On 28 Jan 2009, at 18:30, Thomas Roessler wrote: > Here we go... Comments by EOB next Tuesday? > >> Hi, >> >> thanks for your request for advice with respect to the proposed >> best practices on the use of HTTPS. The Web Security Context >> Working Group has considered the proposed best practice on a recent >> conference call. >> >> The short version of the advice is "don't do this, it's a bad >> practice." >> >> The longer version: We believe that you mean to recommend token- >> based authentication schemes (where only an initial login >> transaction is done through HTTPS, but most interactions are >> through plain HTTP, with an appropriate token transmitted as a >> cookie or in some HTTP header) similar to the ones currently in use >> at large web properties. While there may be situations in which >> the use of such schemes is justified as the result of a complex >> trade-off, we oppose a best practice recommending this approach. >> There are several reasons for this advice: >> >> 1. Use of HTTP in such schemes often leaves the asset that should >> really be protected out in the open: E.g., a webmail service >> implemented according to this advice might permit an attacker full >> access to the victim's inbox. >> >> 2. When using TLS, there is no reason to repeat the initial public >> key handshake for every single HTTP request: The resource- >> intensive piece of the protocol occurs when the TLS handshake is >> first executed (e.g., when accessing the login page); future HTTP >> requests only require cheap symmetric key operations. >> >> 3. The practice described is particularly bad in the case of >> applications targeted at mobile use: Mobile devices are >> increasingly used to access the Web through whatever Wireless LAN >> might be available. There is no reason to trust these networks; >> indeed, there is hardly a situation with a higher exposure to >> network attacks than an untrusted Wireless LAN environment. >> Therefore, the Best Practices document should call out the overall >> risk profile, and *encourage* use of TLS. >> >> 4. We note that your specification seems to aim at relatively >> complex Web Applications, which implies a high likelihood that >> powerful mobile devices will be used with these applications. That >> implies both an even higher likelihood for the use of W-LAN, and a >> comparably low likelihood that resource constraints will indeed be >> seriously affected by the use of TLS. >> >> On behalf of the Web Security Context WG, >> -- >> Thomas Roessler, W3C <tlr@w3.org> > > > > > > >
Received on Monday, 2 February 2009 16:46:46 UTC