W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

RE: Draft finding - "Transitioning the Web to HTTPS"

From: Domenic Denicola <d@domenic.me>
Date: Sat, 20 Dec 2014 20:22:22 +0000
To: Marc Fawzi <marc.fawzi@gmail.com>
CC: Tim Berners-Lee <timbl@w3.org>, "Eric J. Bowman" <eric@bisonsystems.net>, Chris Palmer <palmer@google.com>, Melvin Carvalho <melvincarvalho@gmail.com>, Mark Nottingham <mnot@mnot.net>, Public TAG List <www-tag@w3.org>
Message-ID: <CY1PR0501MB1369B8A00554E32E622F5BE4DF680@CY1PR0501MB1369.namprd05.prod.outlook.com>
Why are you so intent on reinventing secure transport with WebCrypto? Is this some sort of everything-must-be-JavaScript thing?

We have a system that works. Use it. Don't reinvent a new one, spend ten years discovering the myriad of flaws, and then another twenty trying to get wide adoption.

I really see no reason to "help out" with this quixotic campaign.

-----Original Message-----
From: Marc Fawzi [mailto:marc.fawzi@gmail.com] 
Sent: Saturday, December 20, 2014 08:27
To: Domenic Denicola
Cc: Tim Berners-Lee; Eric J. Bowman; Chris Palmer; Melvin Carvalho; Mark Nottingham; Public TAG List
Subject: Re: Draft finding - "Transitioning the Web to HTTPS"


What Tim laid out is exactly why I'm excited about web Crypto, but you have a point about the initial download of whatever system implemented on top of it. 

What if the system was built into a Chrome extension and downloaded via https from the Chrome Web Store? I had a chat with the developer behind AdBlock and he actually wrote a script to check periodically to make sure his extension on the Chrome store hasn't been replaced with a non-official version. He said its for potentially rogue employees. He had hired some developer(s) to take over the development of the plugin. In the same way, plugin developers can release sensitive plugins on the chrome web store and users can be sure that they're downloading the valid version (via https) After that, everything Tim said (which is inspiring btw) should be implementable and can work over http. 

So can we just not go knee-jerk and blanket the web with https when it may only be needed in a few places (assuming web crypto based systems will be developed as built in browser functionality or as plugins downloaded from browser vendor's store?)

Help us out here!

Sent from my iPhone

> On Dec 19, 2014, at 7:51 PM, Domenic Denicola <d@domenic.me> wrote:
> From: Tim Berners-Lee [mailto:timbl@w3.org] 
>> Yes, but once the webcrypto code is unpolyfilled into the browser that attack will go away, and you will be able to use it to build new trust systems, right?
> No, sad to say. Since the network attacker could modify whatever JavaScript code you are using to implement those trust systems, or could even simply insert something like
> Object.defineProperty(window.crypto, "subtle", {
>  get() {
>    return new CompletelyFakeWebCryptoImplementation();
>  }
> });
Received on Saturday, 20 December 2014 20:22:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:08 UTC