W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Wendy Seltzer <wseltzer@w3.org>
Date: Wed, 10 Dec 2014 07:14:44 -0500
Message-ID: <54883934.5080909@w3.org>
To: Tim Bray <tbray@textuality.com>
CC: Mark Nottingham <mnot@mnot.net>, "www-tag@w3.org List" <www-tag@w3.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Another argument might focus around timing in the technology
life-cycle: It may well have been easier to develop early Internet and
Web protocols without consideration of security -- cleartext is less
complex and easier to debug. Now, however, the Internet and Web have
both developed sufficiently to stabilize core aspects and become
important enough that the harmful consequences of insecurity and lack
of privacy protection outweigh the benefits of simplicity.

We've also gotten better at security, and have standards that can make
it easier to deploy secure infrastructure, so pushing for universal
security can add to the economies of scale that bring its costs down
further. I believe we've passed the inflection point after which any
new deployment should be secure by default, and that preserving the
right and ability to tinker and continue innovating is fully
consistent with that.

- --Wendy

On 12/10/2014 12:17 AM, Tim Bray wrote:
> The arguments about the desirability of ubiquitous encryption have
> been going on a long time, but unfortunately tend to circularity
> because few *new* arguments are introduced in any given year.  I
> have written a draft which assembles the most-commonly-heard
> arguments against the universal deployment of privacy technology,
> and provides counter-arguments.  I suspect much of it is material
> to this discussion, and it’s not very long: 
> https://www.tbray.org/tmp/draft-bray-privacy-choices-00.html :
> “Privacy Choices for Internet Data Services”
> 
> On Tue, Dec 9, 2014 at 7:36 PM, Marc Fawzi <marc.fawzi@gmail.com>
> wrote:
> 
>> I think this list is public for a reason, right? So concerned
>> citizens of the web can voice their opinion? Or maybe another
>> reason?
>> 
>> Anyway, as far as opinions go I think that APIs that only work on
>> HTTPS but could in reality work on HTTP means that if some app
>> wanted to use such API then it must purchase an SSL certificate
>> (I think they still cost a lot of money) and incur extra cost in
>> the cloud or data center.
>> 
>> 
>> 
>> Sent from my iPhone
>> 
>>> On Dec 9, 2014, at 1:23 PM, Bjoern Hoehrmann
>>> <derhoermi@gmx.net> wrote:
>>> 
>>> * Mark Nottingham wrote:
>>>> When I talk to browser folks about this, they say that you
>>>> can still install a CA to observe traffic, or look at the
>>>> console / dev tools, etc. I think that's a reasonable answer,
>>>> but one that needs better tools available to foster this kind
>>>> of research.
>>> 
>>> It is actually quite common that you cannot install
>>> certificates and do not have debugging tools available, or
>>> would not be able to rely on them because their use is
>>> detectable. Considering that heteronomous computing is being
>>> made a fundamental part of the Web, it seems very unlikely
>>> that the TAG would agree that users have a right to know what
>>> their computers do and what data they send and receive. -- 
>>> Björn Höhrmann · mailto:bjoern@hoehrmann.de ·
>>> http://bjoern.hoehrmann.de D-10243 Berlin · PGP Pub. KeyID:
>>> 0xA4357E78 · http://www.bjoernsworld.de Available for hire in
>>> Berlin (early 2015)  · http://www.websitedev.de/
>>> 
>> 
>> 
> 
> 


- -- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
http://wendy.seltzer.org/        +1.617.863.0613 (mobile)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUiDkuAAoJENTy3wcgk0el1YkP/3SJNuW+KUqtAdvGV2W+nFpd
QcL2CW2cx2yc2LoX31hN7Akmo4nCin4Hwsk8uYKxGVDtwPMo4nifaDg9UrRhJ0Ct
CBJzbf4r0fMtpEpEWcjCCCuZEh0OO4k5VCiM6JpFT+n7PKdaJtt+hbuXnRzPebCp
IAMp5CbnYP1bd4d6ArgO00eiJcty25yiIYCGHJd11vu1eaOUdBSfeoRQZ1HIQHTA
1ZsBA5V8ixPSu2wqtL7s3GXGTx6LFjjsLRqUW6Elmfn8nkw+JoV/da//sHvL4NZJ
y7O5LRx+ZF+dCICJ2djSQjvDA5EQQwbIlL2fes63hr+K2yYDVCFCPuHcKkISZl6C
zs2fUepEXJPTQvjQ7MmJekVs/mm9w10gCIuo2+cdi9GCsIjhMb5oMhVGm0IQ0C+w
5r87S4+Dzz3jRgSzn+17XC3OuzDCJy5eUJNDU6ZUuSaGGoI7bYlCZpQ3T1Uwm6bf
CEnkIR0DZ74x3zCQKRZzxameg5+5XjExA8HdDGNdfIB5Nmlvyaj/+ZgVNAoMem0f
FdAyeDWyV5aPCVEJaPdFPmZl6u7bw50pPlL8Llof1pD8VvOE86sVut/qShnHEPql
8lnG56uOEW6KfM3zm3VAbFYXVu8lU/PKiVmXJ236fjkHV0UXRJU8UoKAuseygHsO
pNwAxScKjHznAmvbOZBv
=Ndg+
-----END PGP SIGNATURE-----
Received on Wednesday, 10 December 2014 12:14:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:08 UTC