Re: Draft finding - "Transitioning the Web to HTTPS"

Thank you... I now understand the dependence of crypto on https. Will propagate to others.

Sent from my iPhone

> On Dec 10, 2014, at 9:18 AM, Domenic Denicola <d@domenic.me> wrote:
> 
> From: Marc Fawzi [mailto:marc.fawzi@gmail.com] 
> 
>> - Why does Web Crypto in Chrome depend on https? Transmitting the user's public key over http is how public keys are supposed to be used, in the open. I don't think anyone in their right mind would want to transmit the user's private key (if that's even technically possible... have yet to read about the extractable property and how that works)
> 
> It's not about transmitting the key. It's about transmitting the code that does encryption or decryption. If I can modify that code, I can intercept any supposedly "encrypted" data, or any data that was supposedly meant to be decrypted only on the user's local computer and not sent elsewhere.
> 
> I'm sure others can give a more in-depth answer.
> 
>> - what happens when my employer becomes a CA and has a Web gateway for https traffic? They can see the contents of my gmail, facebook, bank account and everything else including communication with a lawyer etc that's normally protected. By the way, I do know several employers who are able to monitor https traffic going over their networks (including vpn for remote workers)
> 
> Yes, if someone else has root on your machine, you're in trouble no matter what.
> 
>> So basically, https doesn't help protect a user's privacy in such case, but Web Crypto could,
> 
> Nope, web crypto needs a secure transport to make any sense at all. It's a bootstrapping problem. If you're on an insecure channel (whether HTTP or employer-MITMed HTTPS), web crypto provides no guarantees at all.
>

Received on Wednesday, 10 December 2014 17:54:42 UTC