Re: Draft finding - "Transitioning the Web to HTTPS"

19.01.2015, 15:01, "Anne van Kesteren" <annevk@annevk.nl>:
> On Mon, Jan 19, 2015 at 12:51 PM, Paul Libbrecht <paul@hoplahup.net> wrote:
>> šPlease make browsers reasonably acting when contacting web-site that
>> špresents self-signed, expired, and other such certificates are used.
>> šThe crypto still happens, it's just less verified.
>
> How do you distinguish that happening from a man-in-the-middle attack
> without every site that uses TLS also adopting key pinning (and the
> administrative nightmares that gives)?

This is important. Because the use cases Paul mentions are actually valid (in some cases, even more valid than the corporatist vision of a world where we all line up to collect our security blessing from some large company who provides it on terms we are effectively unable to negotiate).

> Anything but proper CA certificates is a major attack vector

This is misleading. "proper CA certificates" is a very ill-defined term.

There are a few possible ways of to make what I believe is your sentiment both clear, and true.

1. I can sign things, and my friends trust them, and to the extent that their friends trust their recommendations they can build a web of trust. This is a slow way to scale, but it is unclear that it is so slow that it would not be the sensible path to securing the Web as a whole, while not throwing out a lot of old unsecured babies nor trying to set aside copyright law in order to move everything we want willy-nilly.

2. We could ask governments to provide certificates. Some countries are loath to do so, other countries are busily trying to install their certificates into your OS. Depending on many factors you might think that is a good or bad thing.

3. We can provide a list of commercial certificate suppliers we trust.

We can also blend these approaches. The current system looks a lot like we use the approach described in 1, but outsource the idea of who is trustworthy to a combination of governments and companies who trust each other, to avoid the complicated task of thinking about which of our friends we trust to get their own house in order, and to avoid the time-consuming work of keeping our own houses in order.

> and if anything we should move towards making it impossible to connect to such sites.

I'd prefer you don't interfere with my decisions about what I want to look at and read. That is a whole step beyond suggesting to me that I might not be getting what I asked for.

The latter is, when done right, a useful service. The former is censorship, and while I support the right of the society I live in to decide that some things should not be made available, I find it highly inappropriate that a browser vendor would take it into their hands to make such decisions.

I support the goal of enhancing the security and privacy of people on the Web. I do not support the right of people who write technical standards to decide what will or will not be available.

(Let me draw an analogy. I have spent almost two decades working on standards to enable the provision of web content that is accessible to people with disabilities. I think it is extremely important to do this. However, I would consider it totally inappropriate for even the best technical experts to be in the position of deciding that content should or should not be made available based on whether it is in fact accessible to all users, even where this is trivially easy and is today done as a matter of course).

cheers

Chaals

--
Charles McCathie Nevile - web standards - CTO Office, Yandex
chaals@yandex-team.ru - - - Find more at http://yandex.com

Received on Tuesday, 20 January 2015 12:28:33 UTC