W3C home > Mailing lists > Public > www-tag@w3.org > January 2015

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Marc Fawzi <marc.fawzi@gmail.com>
Date: Mon, 26 Jan 2015 21:14:29 -0800
Message-Id: <CD82295A-21B8-4AAC-8A34-7D2FB2DEF707@gmail.com>
Cc: Henri Sivonen <hsivonen@hsivonen.fi>, David Sheets <kosmo.zb@gmail.com>, Domenic Denicola <d@domenic.me>, Tim Berners-Lee <timbl@w3.org>, Chris Palmer <palmer@google.com>, Melvin Carvalho <melvincarvalho@gmail.com>, Mark Nottingham <mnot@mnot.net>, Public TAG List <www-tag@w3.org>
To: "Eric J. Bowman" <eric@bisonsystems.net>
Yes the Akamai connection is a conflict of interest, but you can argue the same about browser vendors other than Mozilla driving the TAG/W3C ... They do what is in their  interest. 

I find it disturbing that TimBL's opinion on the matter which is very inspiring is not echoed by other vocal members of the TAG ... The "Director hat off" would not be explicitly noted if "Director hat on" wasn't about making compromises with self interested browser vendors, but this does NOT mean that everyone on the TAG from Google is self interested.  I do find that many have the interest of the web at heart.

You're not the only developer kicking and screaming about the direction of discussions and how they follow corporate interest. Things like enforcing the law when it comes to subverting our human right to share what our eyes see and what our ears hear, but hurry up and slap a still-flawed protocol on top of the big gaping hole of security and privacy to repair their reputation and avoid losing face and losing business. How about doing the hard work of securing the web first before the PR push for https everywhere?

You're hardly the only developer who cares.

But you are one of few who care to talk to the TAG about it. Most devs I know are busy building apps that use their own security protocols and building around the new paradigms, not the much more mature yet much more beuqacratic web platform (with all due respect to those whose life work been about advancing the web as an open platform for the good of the people)

You're not alone but you might be barking up the wrong tree. However, it's always good to engage those who see differently and who are driven by different priorities. It can only help to note that the decisions being made are not without flaws, to keep people thinking and working in the right direction, or closer to it. 

Again, not implying that all those who work for Google are conspiring to push Google's interest. Many have good and self less intent.

Sent from my iPhone

> On Jan 26, 2015, at 7:26 PM, "Eric J. Bowman" <eric@bisonsystems.net> wrote:
> 
> Henri Sivonen wrote:
>> 
>>> Don't expect you to be able to answer all of these questions but I
>>> feel like Google needs to evaluate whether they have the right
>>> expertise in security on the Chrome team or if the web's most
>>> popular browser is driven by false assumptions in this area.
>> 
>> They have the right expertise.
> 
> Do they? I wouldn't say false assumptions, but I would say assumptions
> driven by business realities which aren't shared by other stakeholders:
> 
> http://www.seobook.com/false-privacy-claims
> (just one example, don't shoot the blogger :-)
> 
> Wild conspiracy theory? Or widely-shared opinion in my world? The
> problem is much the same as that faced by government employees: it's
> desirable to avoid even the *appearance* of impropriety. Which is
> everywhere I look, i.e. Google's obviously self-serving support of
> ubiquitous HTTPS, and their level of influence here.
> 
> (Somewhat mitigated by EFF support for same, but then again some folks
> accuse TOR of being a great mechanism for taping a target to one's
> back, surveillance-wise. I don't claim to know, only to be concerned.)
> 
> Or HTTP 2 favoring ubiquitous TLS. Without needing proof of *actual*
> impropriety, it's reasonable to question to what extent the http-wg
> producibles favoring CDNs over shared caching have been influenced by a
> chair who's employed by Akamai. Nothing personal, mnot, even considering
> our past disagreements; but also nothing off-the-wall ridiculous for
> those in my world to consider.
> 
> Supported, of course, by Chrome -- provided by Google, whom those in my
> world don't trust when it comes to their support of ubiquitous HTTPS,
> due to their obvious financial stake in same. Another reason for low
> participation here from those in my world, is a belief that what they
> want to talk about (this sort of thing) is frowned upon, or dismissed
> as so much CTer nonsense.
> 
> Am I the only developer who feels that way, or am I the only developer
> who dares bring such issues up, here? Well, if this weren't such an
> ivory tower, my "because TAG's an ivory tower" arguments wouldn't hold
> water as well as I think they do.
> 
> -Eric
Received on Tuesday, 27 January 2015 05:15:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:09 UTC