W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Sean B. Palmer <sean@miscoranda.com>
Date: Sat, 13 Dec 2014 12:06:49 +0000
Message-ID: <CAH3-oEfkBdZhRc+RAoB6mZS4NmsRTYAWTGesfZRqu-+zvXPdtQ@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: "www-tag@w3.org List" <www-tag@w3.org>
Hi Mark,

If you are promoting HTTPS for security, you must also record that
TLS/SSL were partially compromised as of 2013:

"C.3. (TS//SI//REL) The fact that NSA/CSS has some capabilities
against the encryption in TLS/SSL, HTTPS, SSH, VPNs, VoIP, WEBMAIL,
and other network communication technologies"

http://www.theguardian.com/world/interactive/2013/sep/05/nsa-project-bullrun-classification-guide

"Several experts, including Bruce Schneier and Christopher Soghoian,
have speculated that a successful attack against RC4, a 1987
encryption algorithm still used in at least 50 per cent of all SSL/TLS
traffic, is a plausible avenue, given several publicly known
weaknesses of RC4. Others have speculated that NSA has gained ability
to crack 1024-bit RSA and Diffie Hellman public keys."

https://en.wikipedia.org/w/index.php?title=Bullrun_%28decryption_program%29&oldid=631232698#Methods

When certificates are upgraded to ECC, these compromises may be fixed,
though we are unlikely to know for sure. But there is a good chance
that the NSA-influenced NIST curves would be used instead of Prof
Bernstein's Curve25519 and associated apparatus. The IETF must not
allow this to happen.

Update the draft finding to include this information.

Regards,

On Mon, Dec 8, 2014 at 11:28 PM, Mark Nottingham <mnot@mnot.net> wrote:
> We've started work on a new Finding, to a) serve as a Web version of the IAB statement, and b) support the work on Secure Origins in WebAppSec.
>
> See: <https://w3ctag.github.io/web-https/>
>
> Repo w/ issues list at <https://github.com/w3ctag/web-https>.
>
> Cheers,
>
>
> --
> Mark Nottingham   https://www.mnot.net/
>
>



-- 
Sean B. Palmer, http://inamidst.com/sbp/
Received on Saturday, 13 December 2014 12:07:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:08 UTC