- From: Marc Fawzi <marc.fawzi@gmail.com>
- Date: Wed, 10 Dec 2014 08:50:08 -0800
- To: Domenic Denicola <d@domenic.me>
- Cc: "Eric J. Bowman" <eric@bisonsystems.net>, Chris Palmer <palmer@google.com>, Melvin Carvalho <melvincarvalho@gmail.com>, Mark Nottingham <mnot@mnot.net>, "www-tag@w3.org List" <www-tag@w3.org>
- Message-ID: <CACioZitQ9Nn9bWvrnFrKWNOxTO5TVDM-Jp-6WRkge+kkTyjQGg@mail.gmail.com>
I'd like to blog about this really crucial proposal and introduce the arguments from both sides to other developers. I'm sure others, more in touch with the subject already have, but the more info out there the better, as this will have a huge effect on everybody. I have a few questions: - Why does Web Crypto in Chrome depend on https? Transmitting the user's public key over http is how public keys are supposed to be used, in the open. I don't think anyone in their right mind would want to transmit the user's private key (if that's even technically possible... have yet to read about the extractable property and how that works) - (dependent on the above) Why couldn't the web move to client side encryption where users would send their public key to the app they're using ad the app sends its public key to the users, to allow encryption of contents (maybe selective) if request and response? - what happens when my employer becomes a CA and has a Web gateway for https traffic? They can see the contents of my gmail, facebook, bank account and everything else including communication with a lawyer etc that's normally protected. By the way, I do know several employers who are able to monitor https traffic going over their networks (including vpn for remote workers) So basically, https doesn't help protect a user's privacy in such case, but Web Crypto could, but it needs to be used on both ends, and I feel we need to push for that instead of https which is open to snooping by employers and in a more damaging way by state actors. Employers becoming CAs and sniffing https traffic is not a theory. I know of a few doing it, but can't disclose freely. If someone can help me get over this and see the "light" I'll be most appreciative. Marc On Wed, Dec 10, 2014 at 5:44 AM, Domenic Denicola <d@domenic.me> wrote: > From: Eric J. Bowman [mailto:eric@bisonsystems.net] > > > Try to put yourself in the shoes of a forum operator wondering where > everyone's gone. > > Possibly to forums that don't allow attackers (including those sitting > next to them in the Starbucks public wifi), governments, or ISPs to: > > - track their usage (confidentiality) > - insert ads into the forum's content, or > - modify the opinions of people expressed therein to e.g. support certain > products or avoid criticizing certain ideas (integrity) > - steal their login credentials and impersonate them (authentication) > > As Wendy emphasizes, the fact that we as a community have been getting a > free pass on these three properties for so many years doesn't mean they > aren't important. > > > Copy https video url + paste into http post = empty iframe. > > This has nothing to do with https, but instead with X-Frame-Options, which > is orthogonal. A http site can also prevent this, and if it does so, it > will prevent both secure and insecure sites from embedding. > > >
Received on Wednesday, 10 December 2014 16:51:16 UTC