W3C home > Mailing lists > Public > www-tag@w3.org > January 2015

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 19 Jan 2015 21:12:28 +1100
Cc: Henri Sivonen <hsivonen@hsivonen.fi>, Chris Palmer <palmer@google.com>, Noah Mendelsohn <nrm@arcanedomain.com>, "Michael[tm] Smith" <mike@w3.org>, Tim Berners-Lee <timbl@w3.org>, Public TAG List <www-tag@w3.org>
Message-Id: <4A0A5A6A-5F0F-46C3-9ED6-CB03120F5B3B@mnot.net>
To: "Henry S. Thompson" <ht@inf.ed.ac.uk>
Hi Henry,

> On 19 Jan 2015, at 8:56 pm, Henry S. Thompson <ht@inf.ed.ac.uk> wrote:
> 
> Mark Nottingham writes:
> 
>> To the latter point -- I still find it remarkable that this is
>> extremely common practice:
>>   http://ist.mit.edu/certificates
>> ... and the OS/browser UX doesn't warn the user of the power granted
>> by doing so (last I checked).
> 
> I'll bite -- what _should_ the UX say?  That is, what _is_ the risk
> (and what is the alternative that MIT should be using)?

That’s a good question. I’m not a UX person, and don’t pretend to be one. My issue is that the user isn’t warned at all, and the default — power to MITM — is surprising, unless you understand how PKI works.

In a perfect world, browser trust stores would only allow CAs to be installed if they have name constraints (perhaps respecting the public suffix list). Since that horse has already bolted, it’s more difficult.


> The alternative an entity not a million miles away from my desk
> uses is to just self-sign and expect us to click through the resulting
> warnings. . .


Cheers,


--
Mark Nottingham   https://www.mnot.net/
Received on Monday, 19 January 2015 10:12:59 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:09 UTC