W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Chris Palmer <palmer@google.com>
Date: Tue, 9 Dec 2014 17:24:39 -0800
Message-ID: <CAOuvq21maqRKYwSS2SHw2czXUpe0eK3e2YDsk51i0poZspn1fg@mail.gmail.com>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Cc: Mark Nottingham <mnot@mnot.net>, Noah Mendelsohn <nrm@arcanedomain.com>, "www-tag@w3.org List" <www-tag@w3.org>
On Tue, Dec 9, 2014 at 3:53 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:

>>I'm interested in this. When does that happen? I would really like for
>>the owner of a device to be able to control the device's trust anchor
>>store.
>
> I believe devices running older versions of Android are an example. By
> the looks of it, contemporary gaming consoles might be another.

That seems straightforwardly a missing feature to me. Certainly
nothing we should seek to have be the norm, nor even to work around or
treat as normal.

>>Detectable by whom...? I generally know when I am using the developer console.
>
> Mark's example was researchers studying computer systems. If computer
> systems behave differently depending on whether they are being studied,
> such research can be rather complicated. This can happen accidentally,
> but also deliberately as part of copy protection, anti-cheat, or other
> obfuscation schemes.

I have limited experience researching such schemes, but have never
found them to take more than a day to break.

But again, I wouldn't want to design around the expectations of
owner-hostile systems.
Received on Wednesday, 10 December 2014 01:25:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:08 UTC