W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Chris Palmer <palmer@google.com>
Date: Tue, 9 Dec 2014 10:37:22 -0800
Message-ID: <CAOuvq21MTEESfuLZWRybuUyPKBWd_2ex=NcpK3a=r8nBW6Kawg@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: Noah Mendelsohn <nrm@arcanedomain.com>, "www-tag@w3.org List" <www-tag@w3.org>
On Mon, Dec 8, 2014 at 8:09 PM, Mark Nottingham <mnot@mnot.net> wrote:

> If so, I've had similar misgivings -- backed up by conversations with Balachander Krishnamurthy at AT&T, who said that it would have been much harder for them to find how pervasive cookie tracking was had everything been encrypted <http://www.sigcomm.org/ccr/papers/2010/January/1672308.1672328>.

That's a bit hard to swallow, given

http://www.washingtonpost.com/business/technology/verizon-atandt-tracking-their-users-with-super-cookies/2014/11/03/7bbbf382-6395-11e4-bb14-4cfea1e742d5_story.html

> When I talk to browser folks about this, they say that you can still install a CA to observe traffic, or look at the console / dev tools, etc. I think that's a reasonable answer, but one that needs better tools available to foster this kind of research.

A full powered debugger built into the browser, plus all the various
extension and add-on APIs, give users and researchers tons of power.

Yes, DPI/HTTPS proxying will require the proxy/wiretapper to install a
trust anchor on the client machine — i.e. to visibly take
administrative control over the client machine — and that is most
certainly a user safety feature, not a bug.
Received on Tuesday, 9 December 2014 18:37:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:08 UTC