Re: Draft finding - "Transitioning the Web to HTTPS"

On Sat, January 10, 2015 10:04, Rob Meijer wrote:
> On Fri, January 9, 2015 17:52, Henri Sivonen wrote:
>> However, this thread makes me regret my position. Clearly, the issue
>> is not just whether in technical actuality Web Crypto enables
>> something that pure-JS crypto doesn't but about what sort of
>> misconceptions Web developers' minds make up about the difference in
>> capability. The notion that Web Crypto can give you meaningful new
>> security/privacy properties when the JS code on the page calling Web
>> Crypto arrived (from outside localhost) over http transport is false
>> and harmful if relied upon as if it was true.
> The same could be said for https that uses an infrastructure of something
> like 600+ CA+sub-CA's. Web crypto over HTTPS at least could give security
Oops, meant to say HTTP there.

> people the ability to build plug-ins that use an alternative and less
> flawed PKI or something like webkeys over http+webcrypto from the ground
> up using nothing but HTTP and JS code. Something that seems like a nice
> idea, for if new security research for the web is going to rely on browser
> vendors, its definitely not going to happen.

Received on Saturday, 10 January 2015 09:36:53 UTC