Re: Google warns of unauthorized TLS certificates trusted by almost all OSes from Marc Fawzi on 2015-03-25 (www-tag@w3.org from March 2015)

From: Marc Fawzi <marc.fawzi@gmail.com>
Date: Tue, 24 Mar 2015 17:38:19 -0700
To: Melvin Carvalho <melvincarvalho@gmail.com>
Cc: Tim Bray <tbray@textuality.com>, Daniel Appelquist <appelquist@gmail.com>, TAG List <www-tag@w3.org>
Message-ID: <CACioZiuN1qUxTXj7zmnrV-Q6M002yBYnyRCVKAcZQRWyJJeFkw@mail.gmail.com>

... but remember that you were intellectualizing this stuff while ignoring
the fate of people who believe in the browser's security guarantee as
represented by the magical lock icon ... nothing will change till browser
vendors get slapped with class action lawsuit from victims of hacking (and
in some cases, especially in Iran etc, victims of state
surveillance/persecution)

Better change that lock icon to have a major crack in it...

On Tue, Mar 24, 2015 at 5:15 PM, Melvin Carvalho <melvincarvalho@gmail.com>
wrote:

>
>
> On 24 March 2015 at 22:38, Tim Bray <tbray@textuality.com> wrote:
>
>> What Daniel said.  Also, see
>> https://www.tbray.org/ongoing/When/201x/2014/07/28/Privacy-Economics
>>
>
> Thanks Tim.  A well very thought out article.  It seems that moving from
> HTTP to HTTPS is an incremental gain, as you say, rather than, a perfect
> solution.  Is HTTPS good enough?  Is HTTP good enough?  I suppose different
> people will have different views on that.  No strong view here, but I lean
> towards agreeing with you.
>
> Better security is of course a good thing.  However, less well mentioned
> in your post, is that this may also be a trade off.  For example we've seen
> examples in some browsers blocking mixed content on the web http/https to
> protect against possible MITM attacks.  The opportunity cost here is that
> there are potentially fewer connections on the web.  In a hierarchical
> system that may not be such a big deal, but in a graph oriented
> architecture, the value is proportional to the number of connections.
>
> I'm not trying to argue for or against, here, but just saying that from an
> architectural view, it's not black and white (much of the gist of what you
> were saying) and that there are subtle trade offs, imho, at this point in
> time.
>
>
>>
>> On Wed, Mar 25, 2015 at 8:42 AM, Daniel Appelquist <appelquist@gmail.com>
>> wrote:
>>
>>> Excuse me?
>>>
>>> Marc – can you please refrain from making alarmist, nonsensical
>>> flame-baiting comments like this on our mailing list? Probably this sort of
>>> thing would be more sensibly expressed on Twitter or similar?
>>>
>>> Thanks,
>>> Dan
>>>
>>> On 24 Mar 2015, at 16:47, Marc Fawzi <marc.fawzi@gmail.com> wrote:
>>>
>>> A classic "we told you so" moment for "HTTPS everywhere" promoters and
>>> now state surveillance is baked into HTTP2.0
>>>
>>> Sent from my iPhone
>>>
>>> On Mar 24, 2015, at 9:31 AM, Melvin Carvalho <melvincarvalho@gmail.com>
>>> wrote:
>>>
>>> FYI:
>>>
>>>
>>> http://arstechnica.com/security/2015/03/google-warns-of-unauthorized-tls-certificates-trusted-by-almost-all-oses/
>>>
>>>
>>>
>>>
>>
>>
>> --
>> - Tim Bray (If you’d like to send me a private message, see
>> https://keybase.io/timbray)
>>
>
>

Received on Wednesday, 25 March 2015 00:39:29 UTC