W3C home > Mailing lists > Public > www-tag@w3.org > June 2015

Re: Draft finding - "Transitioning the Web to HTTPS"

From: timeless <timeless@gmail.com>
Date: Sun, 14 Jun 2015 12:50:29 -0400
Message-ID: <CACsW8eFCsByQSSe2mSswFFbon3rNf8xBFeo0OPVt7-LJ4GSxug@mail.gmail.com>
To: Chris Palmer <palmer@google.com>
Cc: Henri Sivonen <hsivonen@hsivonen.fi>, Tim Berners-Lee <timbl@w3.org>, Public TAG List <www-tag@w3.org>
(I know this is an old thread, I've only recently been given time to look
into tag-- I fit into some buckets-- I'm a single individual without any
affiliation, effectively an end user, regrettably I'm a white English
speaking male; pero yo hablo español; אֲנִי מְדַבֵּר עִבְרִית)

So, one thing that the current browser proxy and CA model really doesn't
handle well is limited delegation of trust.

When I subscribe to private island caching, or corporate something, I'm
forced to install a generic CA (for all practical purposes trusting it
forever-- until it expires or my browser decides it's insecure) and a
generic proxy (clobbering my previous exclusive proxy).

Technically Proxy Auto Configuration exists, but users can't easily[1] set
up multiple distinct limited proxies.

Technically it's sort of possible for a browser vendor to limit trust for a
CA to a single ccTLD [2], but very few are and I don't think that users can
easily do this.

Yes, it's possible for a user to pin a single certificate for a single web
server [3], but it's fairly inconvenient, scary, and means that if the
server changes, you get a scary prompt again, and you don't know if it's
safe to trust.

Chrome and Firefox [4] now have preliminary support for pinning CAs (or
perhaps just lists of certificates) for domains, but it's really limited to
the vendors themselves, and can't be used by islands or users.

I wanted to be able to say "trust 'employer CA' for *.employer.com and *
(single level hosts without FQDN)", and for the island case I'd like to be
able to say "use island-proxy for cdn.YouTube.com and cdn.Netflix.com" and
"trust 'island CA' for cdn.YouTube.com and cdn.Netflix.com", but, I can't.

Instead I'm forced to say "use island-proxy for everything" or "use
employer proxy for everything" and "trust 'employer CA' and 'island CA' for
everything reachable on the Internet except for browser restricted domains".

Yes, you can say "use proxy for everything except small list", but that's a
PITA. Yes you and I can write a PAC [5], but composing multiple PACs is
neither easy nor safe, and writing a PAC isn't practical for an end user.

[1] https://getfoxyproxy.org/proxyservice/2.0/ - Foxy Proxy is a product
sold as a service which can enable such a thing
[2] https://wiki.mozilla.org/CA:NameConstraints - Mozilla's efforts to
constrain CAs
[3] https://wiki.mozilla.org/Security:SSLErrorPages
[4] https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
[5] http://www.evilbox.ro/windows/proxy-only-for-certain-sites/
On Jan 5, 2015 1:59 PM, "Chris Palmer" <palmer@google.com> wrote:

On Mon, Jan 5, 2015 at 3:04 AM, Tim Berners-Lee <timbl@w3.org> wrote:

> As it happens I just talked to someone who runs a small remote island with
> about 400 people.
> I didn't ask but he brought it up of his own accord, that with everyone on
> wifi and a (17Mb/s ?17MB/s ? he wasn't sure) link supporting everyone, he
> had been recommended and was planning to install a commercial island-wide
> web proxy cache product, as he felt a lot of people watched the same
movies.

In this specific case, I don't see a problem. He can say, on a web
page at https://small-island.org or in an email,

"""
Hello, my fellow Small Islanders. So, as you know, we have a
low-bandwidth link, and YouTube is getting slower now that our
transparent cacheing proxy doesn't work as much. So, I'm going to
install a non-transparent proxy that can proxy even the secure
connections to sites like YouTube.

In order for this to work, you'll have to explicitly set your browser
to use my proxy, and you'll have to add its security certificate to
your computer. The up-side of this is that you can get faster YouTube;
the down-side of this is that you have to trust me not to spy on you.

You might also like to install the proxy in 1 account or profile to
get the speed benefits, and not install it in another account or
profile to stay private. You could have a video profile and an email
and banking profile, for example. If there's enough interest in that,
I'll write up a tutorial.

To make it easier to install the proxy, I've written a small .BAT file
that automates setting the proxy and trusting the certificate. You can
get it at https://small-island.org/install-proxy.bat.

Let me know if you have any questions! Thanks,
--- Al, your Small Island tech support friend
"""

Obviously, the .BAT file should be distributed by secure means only. :)

People can make a choice. It will require Al to write or find a
script. A community of 400 people is small enough for this to be
manageable.

I'm approaching this problem in a utilitarian way: we need to make the
web as safe as we can as often as we can for as many of the billions
of people in the world as we can.  If 400 people have to consider
running a shell script so that being safer can be easier for the other
billions, that's an easy trade-off to make and this edge case should
not loom large in our minds.
Received on Sunday, 14 June 2015 16:50:58 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:12 UTC