W3C home > Mailing lists > Public > www-tag@w3.org > June 2015

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Alex Russell <slightlyoff@google.com>
Date: Fri, 19 Jun 2015 18:13:20 -0700
Message-ID: <CANr5HFW=uZZqmmMyXZjOvQWm9AzOzTwHNwg7ReyqDK=_kgXqbg@mail.gmail.com>
To: timeless <timeless@gmail.com>
Cc: Philip Jägenstedt <philipj@opera.com>, Chaals from Yandex <chaals@yandex-team.ru>, Anne van Kesteren <annevk@annevk.nl>, Paul Libbrecht <paul@hoplahup.net>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, Mark Nottingham <mnot@mnot.net>, Henri Sivonen <hsivonen@hsivonen.fi>, Chris Palmer <palmer@google.com>, Noah Mendelsohn <nrm@arcanedomain.com>, "Michael[tm] Smith" <mike@w3.org>, Tim Berners-Lee <timbl@w3.org>, Public TAG List <www-tag@w3.org>
Apologies for the slow reply.

One for the record books; I agree with timeless!

On Sun, Jun 14, 2015 at 11:03 AM, timeless <timeless@gmail.com> wrote:

> For the record (since I'm reading this months after the thread and
> have time to review links)
> Philip Jägenstedt wrote:
> > Do you find it inappropriate that the Yandex Browser is currently
> > unable to connect to https://crypto.cat/ and https://tv.eurosport.com/
> > (demo site) with no apparent option for ignoring the problem?
> I don't, apparently they "committed pinning-suicide" [1]:
> >> Clients deciding that “pinning is good” have caused headaches at Google.
> >> It's also worth noting that CryptoCat has committed pinning-suicide in
> >> Chrome at at the moment due to their CA having switched intermediates
> >> between renewals. They're waiting for the release of Chrome 41 to
> recover.
> An entity using a feature and messing up deserves what it gets.
> > If not, you're already OK with browser vendors making such decisions,
> Nope, CryptoCat made the decision on its own, you have to *ask* for
> this pinning, and they clearly asked Google for it.
> > and merely disagree about the cases in which it should be possible to
> > ignore the certificate error.
> Again, CryptoCat asked for pinning. Pinning means "Dear Browser, do
> not trust *any* certificate from *any* CA other than this one {}, I
> entity promise that I will not deploy a certificate for my server from
> any CA that isn't this one {}, and any time you encounter a
> certificate for a server portending to be mine but issued from some
> other CA, you can be assured that it is an impersonation attempt."
> Google Chrome, and Yandex are honoring the declaration that CryptoCat made.
> [1] https://www.imperialviolet.org/2015/01/17/notdane.html
Received on Saturday, 20 June 2015 01:14:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:12 UTC