Re: Draft finding - "Transitioning the Web to HTTPS" from Mark Nottingham on 2014-12-13 (www-tag@w3.org from December 2014)

From: Mark Nottingham <mnot@mnot.net>
Date: Sun, 14 Dec 2014 08:51:06 +1100
To: "Sean B. Palmer" <sean@miscoranda.com>
Cc: "www-tag@w3.org List" <www-tag@w3.org>
Message-Id: <9D9C922C-956F-470E-A779-432B1121952C@mnot.net>

Hi Sean,

This finding is not the end statement on all things encryption; it’s a proposal for a high-level policy. The details of encryption are best left to specific Recommendations and RFCs; for example, TLS1.3 is removing RC4 (and HTTP/2 disallows it), and the CFRG is debating the merits of different curves.

Cheers,


> On 13 Dec 2014, at 11:06 pm, Sean B. Palmer <sean@miscoranda.com> wrote:
> 
> Hi Mark,
> 
> If you are promoting HTTPS for security, you must also record that
> TLS/SSL were partially compromised as of 2013:
> 
> "C.3. (TS//SI//REL) The fact that NSA/CSS has some capabilities
> against the encryption in TLS/SSL, HTTPS, SSH, VPNs, VoIP, WEBMAIL,
> and other network communication technologies"
> 
> http://www.theguardian.com/world/interactive/2013/sep/05/nsa-project-bullrun-classification-guide
> 
> "Several experts, including Bruce Schneier and Christopher Soghoian,
> have speculated that a successful attack against RC4, a 1987
> encryption algorithm still used in at least 50 per cent of all SSL/TLS
> traffic, is a plausible avenue, given several publicly known
> weaknesses of RC4. Others have speculated that NSA has gained ability
> to crack 1024-bit RSA and Diffie Hellman public keys."
> 
> https://en.wikipedia.org/w/index.php?title=Bullrun_%28decryption_program%29&oldid=631232698#Methods
> 
> When certificates are upgraded to ECC, these compromises may be fixed,
> though we are unlikely to know for sure. But there is a good chance
> that the NSA-influenced NIST curves would be used instead of Prof
> Bernstein's Curve25519 and associated apparatus. The IETF must not
> allow this to happen.
> 
> Update the draft finding to include this information.
> 
> Regards,
> 
> On Mon, Dec 8, 2014 at 11:28 PM, Mark Nottingham <mnot@mnot.net> wrote:
>> We've started work on a new Finding, to a) serve as a Web version of the IAB statement, and b) support the work on Secure Origins in WebAppSec.
>> 
>> See: <https://w3ctag.github.io/web-https/>
>> 
>> Repo w/ issues list at <https://github.com/w3ctag/web-https>.
>> 
>> Cheers,
>> 
>> 
>> --
>> Mark Nottingham   https://www.mnot.net/
>> 
>> 
> 
> 
> 
> -- 
> Sean B. Palmer, http://inamidst.com/sbp/

--
Mark Nottingham   http://www.mnot.net/

Received on Saturday, 13 December 2014 21:51:34 UTC