Re: Draft finding - "Transitioning the Web to HTTPS" from Eric J. Bowman on 2015-01-27 (www-tag@w3.org from January 2015)

From: Eric J. Bowman <eric@bisonsystems.net>
Date: Mon, 26 Jan 2015 20:26:52 -0700
To: Henri Sivonen <hsivonen@hsivonen.fi>
Cc: Marc Fawzi <marc.fawzi@gmail.com>, David Sheets <kosmo.zb@gmail.com>, Domenic Denicola <d@domenic.me>, Tim Berners-Lee <timbl@w3.org>, Chris Palmer <palmer@google.com>, Melvin Carvalho <melvincarvalho@gmail.com>, Mark Nottingham <mnot@mnot.net>, Public TAG List <www-tag@w3.org>
Message-Id: <20150126202652.427dca5d1ef66c74f272e8fe@bisonsystems.net>

Henri Sivonen wrote:
> 
> > Don't expect you to be able to answer all of these questions but I
> > feel like Google needs to evaluate whether they have the right
> > expertise in security on the Chrome team or if the web's most
> > popular browser is driven by false assumptions in this area.
> 
> They have the right expertise.
> 

Do they? I wouldn't say false assumptions, but I would say assumptions
driven by business realities which aren't shared by other stakeholders:

http://www.seobook.com/false-privacy-claims
(just one example, don't shoot the blogger :-)

Wild conspiracy theory? Or widely-shared opinion in my world? The
problem is much the same as that faced by government employees: it's
desirable to avoid even the *appearance* of impropriety. Which is
everywhere I look, i.e. Google's obviously self-serving support of
ubiquitous HTTPS, and their level of influence here.

(Somewhat mitigated by EFF support for same, but then again some folks
accuse TOR of being a great mechanism for taping a target to one's
back, surveillance-wise. I don't claim to know, only to be concerned.)

Or HTTP 2 favoring ubiquitous TLS. Without needing proof of *actual*
impropriety, it's reasonable to question to what extent the http-wg
producibles favoring CDNs over shared caching have been influenced by a
chair who's employed by Akamai. Nothing personal, mnot, even considering
our past disagreements; but also nothing off-the-wall ridiculous for
those in my world to consider.

Supported, of course, by Chrome -- provided by Google, whom those in my
world don't trust when it comes to their support of ubiquitous HTTPS,
due to their obvious financial stake in same. Another reason for low
participation here from those in my world, is a belief that what they
want to talk about (this sort of thing) is frowned upon, or dismissed
as so much CTer nonsense.

Am I the only developer who feels that way, or am I the only developer
who dares bring such issues up, here? Well, if this weren't such an
ivory tower, my "because TAG's an ivory tower" arguments wouldn't hold
water as well as I think they do.

-Eric

Received on Tuesday, 27 January 2015 03:27:12 UTC