W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Marc Fawzi <marc.fawzi@gmail.com>
Date: Sat, 20 Dec 2014 05:50:27 -0800
Message-Id: <F41FCA48-4331-4778-98DA-BEC1651E5E1B@gmail.com>
Cc: Domenic Denicola <d@domenic.me>, Tim Berners-Lee <timbl@w3.org>, Chris Palmer <palmer@google.com>, Melvin Carvalho <melvincarvalho@gmail.com>, Mark Nottingham <mnot@mnot.net>, Public TAG List <www-tag@w3.org>
To: "Eric J. Bowman" <eric@bisonsystems.net>

As an attacker, I can rewrite your verification routines. So I don't think that route is viable but what about writing the Web Crypto based functionality in a plugin downloaded via https from the browser vendor's web store And then using it over http to implement the kind of systems Tim was describing? I can surely trust the chrome web store to serve me the correct version oft extension especially if I implement my own period check (via https) 

I'm with you on the fact that we don't need to have https everywhere to build secure systems, and Web Crypto will unleash so much innovation and it should not be subject to the policy that says it should only work over https. 

I think the script modification fear can be addressed by downloading the signed script over https and then using it to build trust systems including alternatives to CAs with https used sparingly for all the reasons that have been mentioned here: total cost to the web in terms of loss of caching to mashups to cost of serving... And the big one: who moved my cheese! Aka making this foundational change won't be easy.

Mozilla still allows web crypto to be used over http and I hope they see that if the script transfer security can be solved via download from their extension store and therefore no need to limit web crypto functionality to https as the chrome team has done. I doubt that the chrome team would revise their decision, which is why it would also be nice if we weren't stuck with 3-4 major browsers and could download browser engines like we download apps... If the Chrome team says the web is moving to https only I suppose they have the muscle behind their decision to make that happen. If Chrome was the only browser that matters which it is close to bring in the developer community (sad to say) then we can have a dictatorship in terms of the future of the web. 

End of rant. Apologies to the folks on the chrome team, who are doing great work, but maybe with a different view of the world.

Sent from my iPhone

> On Dec 19, 2014, at 8:06 PM, "Eric J. Bowman" <eric@bisonsystems.net> wrote:
> Domenic Denicola wrote:
>> Tim Berners-Lee wrote:
>>> Yes, but once the webcrypto code is unpolyfilled into the browser
>>> that attack will go away, and you will be able to use it to build
>>> new trust systems, right?
>> No, sad to say. Since the network attacker could modify whatever
>> JavaScript code you are using to implement those trust systems...
> Depends on the implementation. If my HTML text says "this site has been
> compromised, do not trust" but is only removed by *my* JS, then the
> attack would have to be so specific that the attacker's budget could
> get around anything I could do to stop it.
> Although the specifics of the Sony hack show that such a budget doesn't
> need to be huge, sloppy code and all; still glad I quit using NetBIOS in
> '98 or so.
> Just sayin' there's ways to code, and there's ways to code. I can't do
> anything about NetBIOS vulnerabilities, but I can control what my HTML
> and scripting accomplish, and alert users if they aren't.
> -Eric
Received on Saturday, 20 December 2014 13:50:59 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:08 UTC