Re: Verizon Wireless ISP-injected tracking info used to reconstruct deleted cookies

<<
Seems to depend on the cert control provided by mobile browsers, and I'm
concerned that in practice many of the browsers come from the ISPs, which
supply the phones, which check the certs....
>>

It's a legal framework issue, and if they can abuse their users like that
under the current legal framework then there is nothing to do about it.

Having said that, this case is exactly the reason it is so abusive to
public trust and web users/developers to say that the web must move to
https (or to encourage that) as a way of providing security that in the
end, and as long as the legal framework around basic human right of privacy
is broken, gives us a false sense of security not real security.

So you have everybody adopt https at some cost X (and probably at some cost
to the environment, too, due to increased energy use with all those sites
having to support https =) but I'm not sure what the additional cost would
be... it could be dramatically less or dramatically more than the energy
wasted on bitcoin mining) all so that you can prevent the little criminal
from invading our privacy but leave weak spots for the NSA, Verizon, rogue
nations, and well financed terrorist organizations, et al to exploit (only
mentioning stuff already mentioned on this list: including weak NIST crypto
curves, Certificate Transparency proposal that does not directly address
MITM prevention and it's not even widely adopted and is not subversion
proof if the CAs themselves can be undermined on mass basis, and other
holes that have not yet been mentioned or have yet to be discovered)

.... and eventually, I'm sure the little criminals will get organized and
figure out subversion points for https ... so then you've imposed this tax
of using https on everyone for mere theatrical reasons and years go by and
people realize it's a joke but the whole web is now stuck with it, and
requiring it to even function...

 It's like how big organizations think, like the TSA... let's have
everybody take their shoes off and no tooth paste or liquid larger than a
given size in carry on luggage, and other brain dead rules like back
scatter x-ray machines, only to ultimately introduce a Pre-Check lane where
people don't have to do any of those things to prove they're good traffic,
but at the expense of creating a huge detailed database of everyone who
wants to be in that lane, further feeding the surveillance society paradigm.

https has a place along side end to end encryption but if the TAG keeps
saying it's outside of its scope to address the legal framework that is
supposed to protect us from breaches of privacy (which is ok but the EFF
and UCLA are not exactly winning the fight yet, and so it's not like a
divide and conquer... we have a real stagnant issue so it must be
acknowledged globally),

Acknowledge the technical weaknesses of https and be open to a wide range
of solutions like DANE, DNSChain, CT, etc Also, acknowledge the brokenness
of the legal framework for protecting our privacy, a human right, and give
web builders the tools to innovate.

Think about it this way:

Some gov agency decrees that every house must have this special kind of
lock, but it's a lock that has been getting picked by anywhere from rogue
nation states to carriers to organized criminals, and the lock cost
$250/yr.

The people get really pissed. They're paying for the lock (it's certainly
not free even if the cost is externalized) and the big bad wolf can still
come into their homes at will.

My last $0.02 ... Adios.


On Thu, Jan 15, 2015 at 11:54 PM, Chris Palmer <palmer@google.com> wrote:

> On Thu, Jan 15, 2015 at 5:54 PM, Noah Mendelsohn <nrm@arcanedomain.com>
> wrote:
>
> > Also wondering whether, apropos the recent debates about moving to HTTPS,
> > companies like Verizon would be able to MITM HTTPs traffic to play games
> > like this. Seems to depend on the cert control provided by mobile
> browsers,
> > and I'm concerned that in practice many of the browsers come from the
> ISPs,
> > which supply the phones, which check the certs....
>
> A code-signed browser from a trustworthy source, consulting only its
> own trust anchor store and/or enforcing key pinning and/or enforcing
> Certificate Transparency, can generally enforce the guarantees of
> HTTPS (which include stopping these cookie insertion attacks).
>
> Of course, if the platform is under the control of someone other than
> the owner, such as the carrier, the platform can subvert any
> application at run-time.
>
> That underscores the importance of getting one's platform from a
> trustworthy vendor. But that problem is entirely outside of TAG's
> scope.
>
> HTTPS is what we can do. Buttressing the web PKI is what we can do. So
> we do. Some companies with representatives on this list are also
> trying to provide trustworthy platforms to run apps on, too. So we do.
>
> Surely, you weren't hoping to use evidence of application-layer
> attacks as a reason to not adopt effective application-layer security
> techniques.
>
>

Received on Friday, 16 January 2015 14:18:34 UTC