Re: Draft finding - "Transitioning the Web to HTTPS"

On 12/08/2014 07:57 PM, Noah Mendelsohn wrote:
> I'm really delighted to see you undertaking this: a very important topic
> and just the sort of thing the TAG should be doing IMO. I didn't see an
> indication of where comments should go, so I'll make two here:

I'll encourage PING to review this work too.

> II. Privacy
> I also have the vague impression that there is a loss of privacy that
> indirectly results from the reduced practicality of proxies, but I'm not
> sure that intuition is correct. If there are privacy issues with the
> HTTPs transition, that would be worth exploring too.

For at least one set of privacy-conscious users, those seeking to block
traffic analysis by using Tor[1], HTTPS everywhere improves their
privacy and security.

Tor's onion routing sends traffic through a series of three hops, so the
entry node knows your incoming IP but not destination, and the exit node
sends the request on to its destination. If the destination site is in
the clear rather than HTTPS-enabled, a malicious exit node could sniff
or tamper with the request and response. So the Tor proxy solution is
strengthened by and complementary to HTTPS everywhere.



> Thank you. Good luck with this!
> Noah
> On 12/8/2014 6:28 PM, Mark Nottingham wrote:
>> We've started work on a new Finding, to a) serve as a Web version of
>> the IAB statement, and b) support the work on Secure Origins in
>> WebAppSec.
>> See: <>
>> Repo w/ issues list at <>.
>> Cheers,
>> -- 
>> Mark Nottingham

Wendy Seltzer -- +1.617.715.4883 (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)        +1.617.863.0613 (mobile)

Received on Tuesday, 9 December 2014 16:06:46 UTC