W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Tim Bray <tbray@textuality.com>
Date: Tue, 9 Dec 2014 21:17:11 -0800
Message-ID: <CAHBU6itv9SeTgoon3SdJoon=Accnu4h_JH6DtbC6w7A_Fdd4jQ@mail.gmail.com>
To: Marc Fawzi <marc.fawzi@gmail.com>
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, Mark Nottingham <mnot@mnot.net>, Noah Mendelsohn <nrm@arcanedomain.com>, "www-tag@w3.org List" <www-tag@w3.org>
The arguments about the desirability of ubiquitous encryption have been
going on a long time, but unfortunately tend to circularity because few
*new* arguments are introduced in any given year.  I have written a draft
which assembles the most-commonly-heard arguments against the universal
deployment of privacy technology, and provides counter-arguments.  I
suspect much of it is material to this discussion, and it’s not very long:
https://www.tbray.org/tmp/draft-bray-privacy-choices-00.html : “Privacy
Choices for Internet Data Services”

On Tue, Dec 9, 2014 at 7:36 PM, Marc Fawzi <marc.fawzi@gmail.com> wrote:

> I think this list is public for a reason, right? So concerned citizens of
> the web can voice their opinion? Or maybe another reason?
> Anyway, as far as opinions go I think that APIs that only work on HTTPS
> but could in reality work on HTTP means that if some app wanted to use such
> API then it must purchase an SSL certificate (I think they still cost a lot
> of money) and incur extra cost in the cloud or data center.
> Sent from my iPhone
> > On Dec 9, 2014, at 1:23 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:
> >
> > * Mark Nottingham wrote:
> >> When I talk to browser folks about this, they say that you can still
> >> install a CA to observe traffic, or look at the console / dev tools,
> >> etc. I think that's a reasonable answer, but one that needs better tools
> >> available to foster this kind of research.
> >
> > It is actually quite common that you cannot install certificates and do
> > not have debugging tools available, or would not be able to rely on them
> > because their use is detectable. Considering that heteronomous computing
> > is being made a fundamental part of the Web, it seems very unlikely that
> > the TAG would agree that users have a right to know what their computers
> > do and what data they send and receive.
> > --
> > Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
> > D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de
> > Available for hire in Berlin (early 2015)  · http://www.websitedev.de/
> >

- Tim Bray (If you’d like to send me a private message, see
Received on Wednesday, 10 December 2014 05:18:00 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:08 UTC