W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Marc Fawzi <marc.fawzi@gmail.com>
Date: Sat, 20 Dec 2014 05:27:07 -0800
Message-Id: <A7B4A220-8A7E-494E-B1E8-61F653DBF68F@gmail.com>
Cc: Tim Berners-Lee <timbl@w3.org>, "Eric J. Bowman" <eric@bisonsystems.net>, Chris Palmer <palmer@google.com>, Melvin Carvalho <melvincarvalho@gmail.com>, Mark Nottingham <mnot@mnot.net>, Public TAG List <www-tag@w3.org>
To: Domenic Denicola <d@domenic.me>

What Tim laid out is exactly why I'm excited about web Crypto, but you have a point about the initial download of whatever system implemented on top of it. 

What if the system was built into a Chrome extension and downloaded via https from the Chrome Web Store? I had a chat with the developer behind AdBlock and he actually wrote a script to check periodically to make sure his extension on the Chrome store hasn't been replaced with a non-official version. He said its for potentially rogue employees. He had hired some developer(s) to take over the development of the plugin. In the same way, plugin developers can release sensitive plugins on the chrome web store and users can be sure that they're downloading the valid version (via https) After that, everything Tim said (which is inspiring btw) should be implementable and can work over http. 

So can we just not go knee-jerk and blanket the web with https when it may only be needed in a few places (assuming web crypto based systems will be developed as built in browser functionality or as plugins downloaded from browser vendor's store?)

Help us out here!

Sent from my iPhone

> On Dec 19, 2014, at 7:51 PM, Domenic Denicola <d@domenic.me> wrote:
> From: Tim Berners-Lee [mailto:timbl@w3.org] 
>> Yes, but once the webcrypto code is unpolyfilled into the browser that attack will go away, and you will be able to use it to build new trust systems, right?
> No, sad to say. Since the network attacker could modify whatever JavaScript code you are using to implement those trust systems, or could even simply insert something like
> Object.defineProperty(window.crypto, "subtle", {
>  get() {
>    return new CompletelyFakeWebCryptoImplementation();
>  }
> });
Received on Saturday, 20 December 2014 13:27:43 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:08 UTC