W3C home > Mailing lists > Public > www-tag@w3.org > January 2015

Re: Verizon Wireless ISP-injected tracking info used to reconstruct deleted cookies

From: Chris Palmer <palmer@google.com>
Date: Thu, 15 Jan 2015 23:54:40 -0800
Message-ID: <CAOuvq21fpFg6q3ru_Akd-uGYxy+Hdnvpv7tw8CTazqg9KNji7A@mail.gmail.com>
To: Noah Mendelsohn <nrm@arcanedomain.com>
Cc: "www-tag@w3.org" <www-tag@w3.org>
On Thu, Jan 15, 2015 at 5:54 PM, Noah Mendelsohn <nrm@arcanedomain.com> wrote:

> Also wondering whether, apropos the recent debates about moving to HTTPS,
> companies like Verizon would be able to MITM HTTPs traffic to play games
> like this. Seems to depend on the cert control provided by mobile browsers,
> and I'm concerned that in practice many of the browsers come from the ISPs,
> which supply the phones, which check the certs....

A code-signed browser from a trustworthy source, consulting only its
own trust anchor store and/or enforcing key pinning and/or enforcing
Certificate Transparency, can generally enforce the guarantees of
HTTPS (which include stopping these cookie insertion attacks).

Of course, if the platform is under the control of someone other than
the owner, such as the carrier, the platform can subvert any
application at run-time.

That underscores the importance of getting one's platform from a
trustworthy vendor. But that problem is entirely outside of TAG's
scope.

HTTPS is what we can do. Buttressing the web PKI is what we can do. So
we do. Some companies with representatives on this list are also
trying to provide trustworthy platforms to run apps on, too. So we do.

Surely, you weren't hoping to use evidence of application-layer
attacks as a reason to not adopt effective application-layer security
techniques.
Received on Friday, 16 January 2015 07:55:14 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:09 UTC