- From: Marc Fawzi <marc.fawzi@gmail.com>
- Date: Fri, 16 Jan 2015 06:17:26 -0800
- To: Chris Palmer <palmer@google.com>
- Cc: Noah Mendelsohn <nrm@arcanedomain.com>, "www-tag@w3.org" <www-tag@w3.org>
- Message-ID: <CACioZiuWA+OAS+U+_pMi8z0CNcC0nA6Ci=wE9wBW6rP8jq=+jw@mail.gmail.com>
<< Seems to depend on the cert control provided by mobile browsers, and I'm concerned that in practice many of the browsers come from the ISPs, which supply the phones, which check the certs.... >> It's a legal framework issue, and if they can abuse their users like that under the current legal framework then there is nothing to do about it. Having said that, this case is exactly the reason it is so abusive to public trust and web users/developers to say that the web must move to https (or to encourage that) as a way of providing security that in the end, and as long as the legal framework around basic human right of privacy is broken, gives us a false sense of security not real security. So you have everybody adopt https at some cost X (and probably at some cost to the environment, too, due to increased energy use with all those sites having to support https =) but I'm not sure what the additional cost would be... it could be dramatically less or dramatically more than the energy wasted on bitcoin mining) all so that you can prevent the little criminal from invading our privacy but leave weak spots for the NSA, Verizon, rogue nations, and well financed terrorist organizations, et al to exploit (only mentioning stuff already mentioned on this list: including weak NIST crypto curves, Certificate Transparency proposal that does not directly address MITM prevention and it's not even widely adopted and is not subversion proof if the CAs themselves can be undermined on mass basis, and other holes that have not yet been mentioned or have yet to be discovered) .... and eventually, I'm sure the little criminals will get organized and figure out subversion points for https ... so then you've imposed this tax of using https on everyone for mere theatrical reasons and years go by and people realize it's a joke but the whole web is now stuck with it, and requiring it to even function... It's like how big organizations think, like the TSA... let's have everybody take their shoes off and no tooth paste or liquid larger than a given size in carry on luggage, and other brain dead rules like back scatter x-ray machines, only to ultimately introduce a Pre-Check lane where people don't have to do any of those things to prove they're good traffic, but at the expense of creating a huge detailed database of everyone who wants to be in that lane, further feeding the surveillance society paradigm. https has a place along side end to end encryption but if the TAG keeps saying it's outside of its scope to address the legal framework that is supposed to protect us from breaches of privacy (which is ok but the EFF and UCLA are not exactly winning the fight yet, and so it's not like a divide and conquer... we have a real stagnant issue so it must be acknowledged globally), Acknowledge the technical weaknesses of https and be open to a wide range of solutions like DANE, DNSChain, CT, etc Also, acknowledge the brokenness of the legal framework for protecting our privacy, a human right, and give web builders the tools to innovate. Think about it this way: Some gov agency decrees that every house must have this special kind of lock, but it's a lock that has been getting picked by anywhere from rogue nation states to carriers to organized criminals, and the lock cost $250/yr. The people get really pissed. They're paying for the lock (it's certainly not free even if the cost is externalized) and the big bad wolf can still come into their homes at will. My last $0.02 ... Adios. On Thu, Jan 15, 2015 at 11:54 PM, Chris Palmer <palmer@google.com> wrote: > On Thu, Jan 15, 2015 at 5:54 PM, Noah Mendelsohn <nrm@arcanedomain.com> > wrote: > > > Also wondering whether, apropos the recent debates about moving to HTTPS, > > companies like Verizon would be able to MITM HTTPs traffic to play games > > like this. Seems to depend on the cert control provided by mobile > browsers, > > and I'm concerned that in practice many of the browsers come from the > ISPs, > > which supply the phones, which check the certs.... > > A code-signed browser from a trustworthy source, consulting only its > own trust anchor store and/or enforcing key pinning and/or enforcing > Certificate Transparency, can generally enforce the guarantees of > HTTPS (which include stopping these cookie insertion attacks). > > Of course, if the platform is under the control of someone other than > the owner, such as the carrier, the platform can subvert any > application at run-time. > > That underscores the importance of getting one's platform from a > trustworthy vendor. But that problem is entirely outside of TAG's > scope. > > HTTPS is what we can do. Buttressing the web PKI is what we can do. So > we do. Some companies with representatives on this list are also > trying to provide trustworthy platforms to run apps on, too. So we do. > > Surely, you weren't hoping to use evidence of application-layer > attacks as a reason to not adopt effective application-layer security > techniques. > >
Received on Friday, 16 January 2015 14:18:34 UTC