W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Wendy Seltzer <wseltzer@w3.org>
Date: Wed, 10 Dec 2014 07:14:44 -0500
Message-ID: <54883934.5080909@w3.org>
To: Tim Bray <tbray@textuality.com>
CC: Mark Nottingham <mnot@mnot.net>, "www-tag@w3.org List" <www-tag@w3.org>
Hash: SHA1

Another argument might focus around timing in the technology
life-cycle: It may well have been easier to develop early Internet and
Web protocols without consideration of security -- cleartext is less
complex and easier to debug. Now, however, the Internet and Web have
both developed sufficiently to stabilize core aspects and become
important enough that the harmful consequences of insecurity and lack
of privacy protection outweigh the benefits of simplicity.

We've also gotten better at security, and have standards that can make
it easier to deploy secure infrastructure, so pushing for universal
security can add to the economies of scale that bring its costs down
further. I believe we've passed the inflection point after which any
new deployment should be secure by default, and that preserving the
right and ability to tinker and continue innovating is fully
consistent with that.

- --Wendy

On 12/10/2014 12:17 AM, Tim Bray wrote:
> The arguments about the desirability of ubiquitous encryption have
> been going on a long time, but unfortunately tend to circularity
> because few *new* arguments are introduced in any given year.  I
> have written a draft which assembles the most-commonly-heard
> arguments against the universal deployment of privacy technology,
> and provides counter-arguments.  I suspect much of it is material
> to this discussion, and it’s not very long: 
> https://www.tbray.org/tmp/draft-bray-privacy-choices-00.html :
> “Privacy Choices for Internet Data Services”
> On Tue, Dec 9, 2014 at 7:36 PM, Marc Fawzi <marc.fawzi@gmail.com>
> wrote:
>> I think this list is public for a reason, right? So concerned
>> citizens of the web can voice their opinion? Or maybe another
>> reason?
>> Anyway, as far as opinions go I think that APIs that only work on
>> HTTPS but could in reality work on HTTP means that if some app
>> wanted to use such API then it must purchase an SSL certificate
>> (I think they still cost a lot of money) and incur extra cost in
>> the cloud or data center.
>> Sent from my iPhone
>>> On Dec 9, 2014, at 1:23 PM, Bjoern Hoehrmann
>>> <derhoermi@gmx.net> wrote:
>>> * Mark Nottingham wrote:
>>>> When I talk to browser folks about this, they say that you
>>>> can still install a CA to observe traffic, or look at the
>>>> console / dev tools, etc. I think that's a reasonable answer,
>>>> but one that needs better tools available to foster this kind
>>>> of research.
>>> It is actually quite common that you cannot install
>>> certificates and do not have debugging tools available, or
>>> would not be able to rely on them because their use is
>>> detectable. Considering that heteronomous computing is being
>>> made a fundamental part of the Web, it seems very unlikely
>>> that the TAG would agree that users have a right to know what
>>> their computers do and what data they send and receive. -- 
>>> Björn Höhrmann · mailto:bjoern@hoehrmann.de ·
>>> http://bjoern.hoehrmann.de D-10243 Berlin · PGP Pub. KeyID:
>>> 0xA4357E78 · http://www.bjoernsworld.de Available for hire in
>>> Berlin (early 2015)  · http://www.websitedev.de/

- -- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
http://wendy.seltzer.org/        +1.617.863.0613 (mobile)

Version: GnuPG v1

Received on Wednesday, 10 December 2014 12:14:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:08 UTC