Re: Draft finding - "Transitioning the Web to HTTPS"

On Fri, January 9, 2015 17:52, Henri Sivonen wrote:

> However, this thread makes me regret my position. Clearly, the issue
> is not just whether in technical actuality Web Crypto enables
> something that pure-JS crypto doesn't but about what sort of
> misconceptions Web developers' minds make up about the difference in
> capability. The notion that Web Crypto can give you meaningful new
> security/privacy properties when the JS code on the page calling Web
> Crypto arrived (from outside localhost) over http transport is false
> and harmful if relied upon as if it was true.

The same could be said for https that uses an infrastructure of something
like 600+ CA+sub-CA's. Web crypto over HTTPS at least could give security
people the ability to build plug-ins that use an alternative and less
flawed PKI or something like webkeys over http+webcrypto from the ground
up using nothing but HTTP and JS code. Something that seems like a nice
idea, for if new security research for the web is going to rely on browser
vendors, its definitely not going to happen.

Received on Saturday, 10 January 2015 09:04:44 UTC