Hi everyone,
Apologies to those of you who are about to get this more than once, due to the cross-posting. I'd like to get feedback from a wide variety of people: UA developers, web developers, and users. The canonical location for this proposal is: https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure.
Proposal
We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015.
The goal of this proposal is to more clearly display to users that HTTP provides no data security.
Request
We’d like to hear everyone’s thoughts on this proposal, and to discuss with the web community about how different transition plans might serve users.
Background
We all need data communication on the web to be secure (private, authenticated, untampered). When there is no data security, the UA should explicitly display that, so users can make informed decisions about how to interact with an origin.
Roughly speaking, there are three basic transport layer security states for web origins:
Secure (valid HTTPS, other origins like (*, localhost, *));
Dubious (valid HTTPS but with mixed passive resources, valid HTTPS with minor TLS errors); and
Non-secure (broken HTTPS, HTTP).
For more precise definitions of secure and non-secure, see Requirements for Powerful Features and Mixed Content.
We know that active tampering and surveillance attacks, as well as passive surveillance attacks, are not theoretical but are in fact commonplace on the web.
RFC 7258: Pervasive Monitoring Is an Attack
NSA uses Google cookies to pinpoint targets for hacking
Verizon’s ‘Perma-Cookie’ Is a Privacy-Killing Machine
How bad is it to replace adSense code id to ISP's adSense ID on free Internet?
Comcast Wi-Fi serving self-promotional ads via JavaScript injection
Erosion of the moral authority of transparent middleboxes
Transitioning The Web To HTTPS
We know that people do not generally perceive the absence of a warning sign. (See e.g. The Emperor's New Security Indicators.) Yet the only situation in which web browsers are guaranteed not to warn users is precisely when there is no chance of security: when the origin is transported via HTTP. Here are screenshots of the status quo for non-secure domains in Chrome, Safari, Firefox, and Internet Explorer:
Particulars
UA vendors who agree with this proposal should decide how best to phase in the UX changes given the needs of their users and their product design constraints. Generally, we suggest a phased approach to marking non-secure origins as non-secure. For example, a UA vendor might decide that in the medium term, they will represent non-secure origins in the same way that they represent Dubious origins. Then, in the long term, the vendor might decide to represent non-secure origins in the same way that they represent Bad origins.
Ultimately, we can even imagine a long term in which secure origins are so widely deployed that we can leave them unmarked (as HTTP is today), and mark only the rare non-secure origins.
There are several ways vendors might decide to transition from one phase to the next. For example, the transition plan could be time-based:
T0 (now): Non-secure origins unmarked
T1: Non-secure origins marked as Dubious
T2: Non-secure origins marked as Non-secure
T3: Secure origins unmarked
Or, vendors might set thresholds based on telemetry that measures the ratios of user interaction with secure origins vs. non-secure. Consider this strawman proposal:
Secure > 65%: Non-secure origins marked as Dubious
Secure > 75%: Non-secure origins marked as Non-secure
Secure > 85%: Secure origins unmarked
The particular thresholds or transition dates are very much up for discussion. Additionally, how to define “ratios of user interaction” is also up for discussion; ideas include the ratio of secure to non-secure page loads, the ratio of secure to non-secure resource loads, or the ratio of total time spent interacting with secure vs. non-secure origins.
We’d love to hear what UA vendors, web developers, and users think. Thanks for reading!
Hello Chris et al:
I'm a web developer. I did some vendor security-related development sometime ago inside Konqueror. Some first thoughts:
* In principle, the proposal makes sense to me. Who doesn't want a more secure web? Kudos for making it possible with ambitious proposals like this.
* The biggest problem I see is that to get an accepted certificate traditionally you needed to pay. This was a show-stopper for having TLS certs in small websites. Mozilla, EFF, Cisco, Akamai are trying to fix that [1] and that StartSSL gives free certificates though. Just stating the obvious: you either get easy and free "secure" certificates, or this proposal is going to make some webmasters angry.
Regards,
--
[1] https://www.eff.org/deeplinks/2014/11/certificate-authority-encrypt-entire-web
I'm a web developer. I did some vendor security-related development sometime ago inside Konqueror. Some first thoughts:
* In principle, the proposal makes sense to me. Who doesn't want a more secure web? Kudos for making it possible with ambitious proposals like this.
* The biggest problem I see is that to get an accepted certificate traditionally you needed to pay. This was a show-stopper for having TLS certs in small websites. Mozilla, EFF, Cisco, Akamai are trying to fix that [1] and that StartSSL gives free certificates though. Just stating the obvious: you either get easy and free "secure" certificates, or this proposal is going to make some webmasters angry.
Regards,
--
[1] https://www.eff.org/deeplinks/2014/11/certificate-authority-encrypt-entire-web
--
Eduardo Robles Elvira @edulix skype: edulix2
http://agoravoting.org @agoravoting +34 634 571 634
http://agoravoting.org @agoravoting +34 634 571 634
On Fri, Dec 12, 2014 at 5:17 PM, Eduardo Robles Elvira <edu...@agoravoting.com> wrote:
* The biggest problem I see is that to get an accepted certificate traditionally you needed to pay. This was a show-stopper for having TLS certs in small websites. Mozilla, EFF, Cisco, Akamai are trying to fix that [1] and that StartSSL gives free certificates though. Just stating the obvious: you either get easy and free "secure" certificates, or this proposal is going to make some webmasters angry.
Oh yes, absolutely. Obviously, Let's Encrypt is a great help, and SSLMate's ease-of-use and low price is great, and CloudFlare's free SSL helps too.
Hopefully, as operations like those ramp up, it will get increasingly easier for web developers to switch to HTTPS. We (Chrome) will weigh changes to the UX very carefully, and with a close eye on HTTPS adoption.
Fantastic news, I'm very glad to see the Chrome Security Team taking initiative on this.
Existing browsers' behavior of defaulting to, and using a "neutral" UI for, HTTP is fundamentally an assumption what users want. And it's not an assumption that is grounded in data.
No ordinary users' mental for communication on the net includes lack of authenticity, integrity, or confidentially. Plaintext is a blight on the internet, and this is a fantastic step towards making reality match users (TOTALLY REASONABLE!) expectations.
Cheers,
Alex
To unsubscribe from this group and stop receiving emails from it, send an email to securi...@chromium.org.
Free SSL certificates helps, but another problem is that activating SSL not only generates warnings, but just break the site due to links to insecure resources. Just consider a case of old pages with a few youtube videos served using http iframes. Accessing those pages over https stops the videos from working as browsers blocks access to active insecure context. And in case of youtube one can fix that, but for other resources it may not be possible.
So what is required is ability to refer to insecure context from HTTPS pages without harming user experience. For example, it should be a way to insert http iframe into https site. Similarly, it would be nice if a web-developer could refer to scripts, images etc. over http as long as the script/image tag is accompanied with a secure hash of known context.
_______________________________________________
dev-security mailing list
dev-se...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
On Sat, Dec 13, 2014 at 1:46 AM, 'Chris Palmer' via blink-dev <blin...@chromium.org> wrote:For completeness sake, here’s what a non-secure looks like in Opera:We know that people do not generally perceive the absence of a warning sign. (See e.g. The Emperor's New Security Indicators.) Yet the only situation in which web browsers are guaranteed not to warn users is precisely when there is no chance of security: when the origin is transported via HTTP. Here are screenshots of the status quo for non-secure domains in Chrome, Safari, Firefox, and Internet Explorer:
I see a big danger in the current trend. Expecting everyone having a free „secure“ certificate and being in requirement to enable HTTPS it will result in nothing won. DV certificates (similar to DANE) do finally say absolute nothing about the website operator.
They ensure encryption, so I can then be phished, be scammed, … encrypted. Big advantage!^^ Pushing real validation (e.g. EV with green adressbar and validated details by an independent third party, no breakable, spoofable automatism) vs. no validation is
much more important and should be focussed on. However, this „change“ could come with marking HTTP as Non-Secure, but just stating HTTPS as secure is the completely wrong sign and will result in more confusion and loosing any trust in any kind of browser padlocks
than before.
Just a proposal:
Mark HTTP as Non-Secure (similar to self-signed) e.g. with a red padlock or sth. similar.
Mark HTTPS as Secure (and only secure in favor of encrypted) e.g. with a yellow padlock or sth. similar
Mark HTTPS with Extended Validation (encrypted and validated) as it is with a green padlock or sth. similar
This would be a good road for more security on the web.
So, if I have just a static page only with information about my company, I need to buy a ssl certificate. That doesn't sound rational. Even if I'll get some free sertificate why should I put it on my static page?
I've read some opinions about this proposal on other forums, and it seems to be that most people are against it.
I've read some opinions about this proposal on other forums, and it seems to be that most people are against it.
Because otherwise various parties could modify that information to say bad things about your company, and visitors to your site would have no idea the modification has taken place.
From: rval...@gmail.com
Sent: 2014-12-13 18:03
To: blin...@chromium.org
Subject: [blink-dev] Proposal: Marking HTTP As Non-Secure
So, if I have just a static page only with information about my company, I need to buy a ssl certificate. That doesn't sound rational. Even if I'll get some free sertificate why should I put it on my static page?To unsubscribe from this group and stop receiving emails from it, send an email to blin...@chromium.org.
I've read some opinions about this proposal on other forums, and it seems to be that most people are against it.
On Sat, Dec 13, 2014 at 8:56 AM, Igor Bukanov <ig...@mir2.org> wrote:
Free SSL certificates helps, but another problem is that activating SSL not only generates warnings, but just break the site due to links to insecure resources. Just consider a case of old pages with a few youtube videos served using http iframes. Accessing those pages over https stops the videos from working as browsers blocks access to active insecure context. And in case of youtube one can fix that, but for other resources it may not be possible.
Yes, unfortunately we have a collective action problem. (http://en.wikipedia.org/wiki/Collective_action#Collective_action_problem) But just because it's hard, doesn't mean we don't have try. I'd suggest that embedders ask embeddees to at least make HTTPS available, even if not the default.
Also, keep in mind that this proposal is only to mark HTTP as non-secure — HTTP will still work, and you can still host your site over HTTP.
So what is required is ability to refer to insecure context from HTTPS pages without harming user experience.
No, because that reduces or eliminates the security guarantee of HTTPS.
For example, it should be a way to insert http iframe into https site. Similarly, it would be nice if a web-developer could refer to scripts, images etc. over http as long as the script/image tag is accompanied with a secure hash of known context.
Same thing here. The security guarantee of HTTPS is the combination of server authentication, data integrity, and data confidentiality. It is not a good user experience to take away confidentiality without telling users. And, unfortunately, we cannot effectively communicate that nuance. We have enough trouble effectively communicating the secure/non-secure distinction as it is.
Chris,
Is there a plan for HTTP to eventually have an interstitial, the way HTTPS with a bogus cert does?
Is there a plan for HTTP to eventually have an interstitial, the way HTTPS with a bogus cert does?
Alex
To unsubscribe from this group and stop receiving emails from it, send an email to securi...@chromium.org.
On Sat, Dec 13, 2014 at 11:05 AM, Christian Heutger <chri...@heutger.net> wrote:
I see a big danger in the current trend. Expecting everyone having a free „secure“ certificate and being in requirement to enable HTTPS it will result in nothing won. DV certificates (similar to DANE) do finally say absolute nothing about the website operator.
Reducing the number of parties you have to trust from [ the site operator, the operators of all networks between you and the site operator ] to just [ the site operator ] is a huge win.
They ensure encryption, so I can then be phished, be scammed, … encrypted. Big advantage!^^ Pushing real validation (e.g. EV with green adressbar and validated details by an independent third party, no breakable, spoofable automatism) vs. no validation is much more important and should be focussed on.
I think you'll find EV is not as "extended" as you might be hoping.
But more importantly, the only way to get minimal server auth, data integrity, and data confidentiality on a mass scale is with something at least as easy to deploy as DV. Indeed, you'll see many of the other messages in this thread are from people concerned that DV isn't easy enough yet! So requiring EV is a non-starter.
Additionally, the web origin concept is (scheme, host, port). Crucially, EV-issued names are not distinct origins from DV-issued names, and proposals to enforce such a distinction in browsers have not gotten any traction because they are not super feasible (for a variety of reasons).
However, this „change“ could come with marking HTTP as Non-Secure, but just stating HTTPS as secure is the completely wrong sign and will result in more confusion and loosing any trust in any kind of browser padlocks than before.
HTTPS is the bare minimum requirement for secure web application *transport*. Is secure transport by itself sufficient to achieve total *application-semantic* security? No. But a browser couldn't determine that level of security anyway. Our goal is for the browser to tell as much of the truth as it can programatically determine at run-time.
On Sat, Dec 13, 2014 at 3:02 PM, <rval...@gmail.com> wrote:
So, if I have just a static page only with information about my company, I need to buy a ssl certificate.
No, you don't. You can host your static page via HTTP if you prefer.
That doesn't sound rational. Even if I'll get some free sertificate why should I put it on my static page?
I cited some examples of why you might care about secure transport:
RFC 7258: Pervasive Monitoring Is an Attack
NSA uses Google cookies to pinpoint targets for hacking
Verizon’s ‘Perma-Cookie’ Is a Privacy-Killing Machine
How bad is it to replace adSense code id to ISP's adSense ID on free Internet?
Comcast Wi-Fi serving self-promotional ads via JavaScript injection
Because the browser doesn't know what your page means to a human, but it needs to tell the human something about how securely the page was transmitted over the web. Some single-page sites are about sensitive topics like the news, political beliefs, religious beliefs, health information; other single-page sites are just cute cats. It's up to the human to decide how important it is to them that the information be transmitted securely.
Additionally, if publishers are seeking to monetize their sites, such as by restricting viewing to paid subscribers or by showing ads, secure transport is important for that.
On 14 December 2014 at 18:59, Chris Palmer <pal...@google.com> wrote:
Yes, unfortunately we have a collective action problem. (http://en.wikipedia.org/wiki/Collective_action#Collective_action_problem) But just because it's hard, doesn't mean we don't have try. I'd suggest that embedders ask embeddees to at least make HTTPS available, even if not the default.Also, keep in mind that this proposal is only to mark HTTP as non-secure — HTTP will still work, and you can still host your site over HTTP.
If serving context over HTTPS generates broken pages, the insensitive of enabling encryption is very low. As it was already mentioned, a solution to that is to allow to serve encrypted pages over HTTP so pages that refer to unencrypted elements would not break pages but just produces warnings. Such encrypted http:// also allows to generate less warnings for a page where all context is available over self-signed and key-pinned certificate as that solution is strictly more secure then a plain HTTP.
On Sun, Dec 14, 2014 at 10:00 AM, Alex Gaynor <alex....@gmail.com> wrote:
Is there a plan for HTTP to eventually have an interstitial, the way HTTPS with a bogus cert does?
We (Chrome) have no current plan to do that. In the Beautiful Future when some huge percentage of pageviews are shown via secure transport, it might or might not make sense to interstitial HTTP then. I kind of doubt that it will be a good idea, but who knows. We'll see.
On Sun, Dec 14, 2014 at 10:34 AM, Igor Bukanov <ig...@mir2.org> wrote:
If serving context over HTTPS generates broken pages, the insensitive of enabling encryption is very low.
That's the definition of a collective action problem, yes.
I think that the incentives will change, and are changing, and people are becoming more aware of the problems of non-secure transport. There is an on-going culture shift, and more and more publishers are going to offer HTTPS. For example, http://open.blogs.nytimes.com/author/eitan-konigsburg/?_r=0.
As it was already mentioned, a solution to that is to allow to serve encrypted pages over HTTP so pages that refer to unencrypted elements would not break pages but just produces warnings. Such encrypted http:// also allows to generate less warnings for a page where all context is available over self-signed and key-pinned certificate as that solution is strictly more secure then a plain HTTP.
But, again, consider the definition of the origin. If it is possible for securely-transported code to run in the same context as non-securely transported code, the securely-transported code is effectively non-secure.
On 14 December 2014 at 19:40, Chris Palmer <pal...@google.com> wrote:
But, again, consider the definition of the origin. If it is possible for securely-transported code to run in the same context as non-securely transported code, the securely-transported code is effectively non-secure.
Yes, but the point is that the page will be shown with the same warnings as a plain http page rather then showing a broken page.
I.e. just consider that currently a hosting provider has no option to unconditionally encrypt pages they host for modern browsers as that may break pages of the users. With encrypted http:// they get such option delegating the job of fixing warnings about insecure context to the content producers as it should.
On Sun, Dec 14, 2014 at 10:53 AM, Igor Bukanov <ig...@mir2.org> wrote:
I.e. just consider that currently a hosting provider has no option to unconditionally encrypt pages they host for modern browsers as that may break pages of the users. With encrypted http:// they get such option delegating the job of fixing warnings about insecure context to the content producers as it should.
I'm sorry; I still don't understand what you mean. Do you mean that you want browsers to treat some hypothetical encrypted HTTP protocol as if it were a secure origin, but still allow non-secure embedded content in these origins?
I would argue strongly against that, and so far not even the "opportunistic encryption" advocates have argued for that.
I would like to see some hypothetical encrypted http:// when a browser present a page as if it was over https:// if everything of a secure origin and as if it was served over plain http if not. That is, if a future browser shows warnings for plain http, so it will show the same warnings for encrypted http:// with insecure resources.
The point of such encrypted http:// is to guarantee that *enabling encryption never degrades user experience* compared with the case of plain http. This will allow for a particular installation to start serving everything encrypted independently from the job of fixing the content. And as the page still served as http://, the user training/expectations about https:// sites no longer applies.
The point of such encrypted http:// is to guarantee that *enabling encryption never degrades user experience* compared with the case of plain http. This will allow for a particular installation to start serving everything encrypted independently from the job of fixing the content. And as the page still served as http://, the user training/expectations about https:// sites no longer applies.
> I would like to see some hypothetical encrypted http:// when a browserBrowsers have flirted with along the lines of your proposal with
> present a page as if it was over https:// if everything of a secure origin
> and as if it was served over plain http if not. That is, if a future browser
> shows warnings for plain http, so it will show the same warnings for
> encrypted http:// with insecure resources.
non-blocking mixed content icons. Unfortunately, websites are not
static - so the net effect was that if you watched the address bar
constantly, you'd eventually get notified that your previously-entered
data that you thought will be visible only to a "secure" origin has
been already leaked to / exposed to network attackers.
The main point of having a visible and stable indicator for encrypted
sites is to communicate to the user that the site offers a good degree
of resilience against the examination or modification of the exchanged
data by network attackers. (It is a complicated property and it is
often misunderstood as providing clear-cut privacy assurances for your
online habits, but that's a separate topic.)
Any changes that make this indicator disappear randomly at unexpected
times, or make the already-complicated assurances more fragile and
even harder to explain, are probably not the right way to go.
/mz
On 14 December 2014 at 20:47, Michal Zalewski <lca...@google.com> wrote:
The main point of having a visible and stable indicator for encrypted
sites is to communicate to the user that the site offers a good degree
of resilience against the examination or modification of the exchanged
data by network attackers.
Then browser should show absolutely no indications of secure origin for encrypted http://. The idea is that encrypted http:// experience would be equivalent to the current http experience with no indications of security and no warnings. However, encrypted http:// with insecure elements will start to produce warnings in the same way a future browser will show warnings for plain http.
Without something like this I just do not see how a lot of sites could ever start enabling encryption unconditionally. I.e. currently enabling https requires to modify content often in a significant way. I would for a site operator to have an option to enabling encryption unconditionally without touching the content.
> Then browser should show absolutely no indications of secure origin forAs mentioned in my previous response, this gets *really* hairy because
> encrypted http://. The idea is that encrypted http:// experience would be
> equivalent to the current http experience with no indications of security
> and no warnings. However, encrypted http:// with insecure elements will
> start to produce warnings in the same way a future browser will show
> warnings for plain http.
the "has insecure elements" part is not a static property that can be
determined up front; so, you end up with the problem of sudden and
unexpected downgrades and notifying the user only after the
confidentiality or integrity of the previously-stored data has been
compromised.
/mz
> Reducing the number of parties you have to trust from [ the site operator, the operators of all networks between you and the site operator ] to just [ the site operator ] is a huge win.
But how can I trust him and who is he? No WHOIS records no imprint, all spoofable, so in what should I trust then? If there is a third-party, who state me, the details given are correct and they have a warranty for misinformation, that’s something I could
trust. I also look at online-shopping if there are customer reviews, but I do not recognize them as fully trustable as they may be spoofed, if the shop has a seal like Trusted Shops with a money-back guarantee, I feel good and shop there.
> I think you'll find EV is not as "extended" as you might be hoping.
I know, but it’s the best we currently have. And DV is much worser, finally loosing any trust in HTTPS with it, scaling it down to encryption, nothing else.
> But more importantly, the only way to get minimal server auth, data integrity, and data confidentiality on a mass scale is with something at least as easy to deploy as DV. Indeed, you'll see many of the other messages in this thread are from people concerned that DV isn’t> easy enough yet! So requiring EV is a non-starter.
I agree on data confidentiality, maybe also on integrity although DV without effort or costs may break that also in any way, but server auth is somehow saying nothing as any server endpoint I called I get, nothing more is authenticated. However, I support
the idea of having mass encryption, but before confusing and damaging end users mind on internet security, there need to be a clear differentiation in just encryption and encryption with valid authentication.
> HTTPS is the bare minimum requirement for secure web application *transport*. Is secure transport by itself sufficient to achieve total *application-semantic* security? No. But a browser couldn't determine that level of security anyway. Our goal is for the browser to tell> as much of the truth as it can programatically determine at run-time.
But wasn’t that the idea of certificates? Seals on websites can be spoofed, WHOIS records can be spoofed, imprints can be spoofed, but spoofing EV certificates, e.g. in combination with solutions like pinning, is a hard job. Considering there would be
no browser warning for self-signed certificates, I do not see any advantage in mass developed (finally requiring a full automated process) DV certificates. It’s a bit back to the roots to times, I remember, some website operators offered their self-signed
root to be installed in the browser to remove the browser warning.
On Sun, Dec 14, 2014 at 11:08 AM, 'Chris Palmer' via Security-devI'm also not clear on what Igor intended, but there is a real issue
<securi...@chromium.org> wrote:
> On Sun, Dec 14, 2014 at 10:53 AM, Igor Bukanov <ig...@mir2.org> wrote:
>
>> I.e. just consider that currently a hosting provider has no option to
>> unconditionally encrypt pages they host for modern browsers as that may
>> break pages of the users. With encrypted http:// they get such option
>> delegating the job of fixing warnings about insecure context to the content
>> producers as it should.
>
>
> I'm sorry; I still don't understand what you mean. Do you mean that you want
> browsers to treat some hypothetical encrypted HTTP protocol as if it were a
> secure origin, but still allow non-secure embedded content in these origins?
with browser presentation of URLs using TLS today. There is no way to
declare "I know that this page will have insecure content, so don't
consider me a secure origin" such that the browser will show a
"neutral" icon rather than a warning icon. I think there is a strong
impression that a closed lock is better than neutral, but a yellow
warning sign over the lock is worse than neutral. Today prevents
sites from using HTTPS unless they have a very high confidence that
all resources on the page will come from secure origins.
Thanks,
Peter
(Ouch. maintaining the cross-posting ;( ).
15.12.2014, 11:57, "Christian Heutger" <chri...@heutger.net>:
However, this „change“ could come with marking HTTP as Non-Secure, but just stating HTTPS as secure is the completely wrong sign and will result in more confusion and loosing any trust in any kind of browser padlocks than before.
The message someone wrote about "I understand I am using insecure mixed content, please don't make me look worse than someone who doesn't understand that" strikes a chord - I think there is value in supporting the use case.
Just a proposal:Mark HTTP as Non-Secure (similar to self-signed) e.g. with a red padlock or sth. similar.Mark HTTPS as Secure (and only secure in favor of encrypted) e.g. with a yellow padlock or sth. similarMark HTTPS with Extended Validation (encrypted and validated) as it is with a green padlock or sth. similar
Just a "nit pick" - please don't EVER rely only on colour distinction to communicate anything important. There are a lot of colour-blind people, and on top there are various people who rely on high-contrast modes and the like which effectively strip the colour out.
cheers
Chaals
--
Charles McCathie Nevile - web standards - CTO Office, Yandex
cha...@yandex-team.ru - - - Find more at http://yandex.com
cha...@yandex-team.ru - - - Find more at http://yandex.com
On 14 December 2014 at 23:57, Peter Bowen <pzb...@gmail.com> wrote:
I think there is a strong
impression that a closed lock is better than neutral, but a yellow
warning sign over the lock is worse than neutral.
The problem is not just a warning sign.
Browsers prevents any active context including iframe served over http from loading. Thus showing a page with youtube and other videos over https is not an option unless one fixes the page. Now consider that it is not a matter of running sed on a set of static files but rather patching the stuff stored in the database or fixing JS code that inserts the video as the task of enabling https becomes non-trivial and very content dependent.
So indeed an option to declare that despite proper certificates and encryption the site should be treated as of insecure origin is needed. This way the page will be shown as if it was served as before with plain http with no changes in user experience. But then it cannot be a https site since many users still consider that https is enough to assume a secure site. Hence the idea of encrypted http:// or something that makes user experience with an encrypted page absolutely the same as she has with plain http:// down to the browser stripping http:// from the URL.
After considering this I think it will be even fine for a future browser to show a warning for such properly-encrypted-but-explicitly-declared-as-insecure in the same way as a warning will be shown for plain http. And it will be really nice if a site operator, after activating such user-invisible encryption, can receive reports from a browser about any violation of the secure origin policy in the same way how violations of CSP are reported today. This would give nice possibility of activating encryption without breaking anything, collecting reports of violated secure origin policy, fixing content and finally declaring the site explicitly https-only.
Browsers prevents any active context including iframe served over http from loading. Thus showing a page with youtube and other videos over https is not an option unless one fixes the page. Now consider that it is not a matter of running sed on a set of static files but rather patching the stuff stored in the database or fixing JS code that inserts the video as the task of enabling https becomes non-trivial and very content dependent.
So indeed an option to declare that despite proper certificates and encryption the site should be treated as of insecure origin is needed. This way the page will be shown as if it was served as before with plain http with no changes in user experience. But then it cannot be a https site since many users still consider that https is enough to assume a secure site. Hence the idea of encrypted http:// or something that makes user experience with an encrypted page absolutely the same as she has with plain http:// down to the browser stripping http:// from the URL.
After considering this I think it will be even fine for a future browser to show a warning for such properly-encrypted-but-explicitly-declared-as-insecure in the same way as a warning will be shown for plain http. And it will be really nice if a site operator, after activating such user-invisible encryption, can receive reports from a browser about any violation of the secure origin policy in the same way how violations of CSP are reported today. This would give nice possibility of activating encryption without breaking anything, collecting reports of violated secure origin policy, fixing content and finally declaring the site explicitly https-only.
On Sat, Dec 13, 2014 at 2:05 PM, Christian Heutger
<chri...@heutger.net> wrote:
> I see a big danger in the current trend.
Surely you haven't missed the big danger in plain text traffic. That
traffic gets usuroed and fed into susyems like Xkeyscore for Tailored
Access Operations (TAO). In layman's terms, adversaries are using the
information gathered to gain unauthorized access to systems.
> Expecting everyone having a free
> „secure“ certificate and being in requirement to enable HTTPS it will result
> in nothing won. DV certificates (similar to DANE) do finally say absolute
> nothing about the website operator.
The race to the bottom among CAs is to blame for the quality of
verification by the CAs.
With companies like StartCom, Cacert and Mozilla offering free
certificates, there is no barrier to entry.
Plus, I don't think a certificate needs to say anything about the
operator. They need to ensure the server is authenticated. That is,
the public key bound to the DNS name is authentic.
> They ensure encryption, so I can then be
> phished, be scammed, … encrypted. Big advantage!^^
As I understand it, phishers try to avoid TLS because they count on
the plain text channel to avoid all the browser warnings. Peter
Gutmann discusses this in his Engineering Security book
(https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf).
> Pushing real validation
> (e.g. EV with green adressbar and validated details by an independent third
> party, no breakable, spoofable automatism) vs. no validation is much more
> important and should be focussed on.
You should probably read Gutmann's Engineering Security. See his
discussion of "PKI me harder" in Chapter 1 or 6 (IIRC).
understand the icons. It would probably be better if the browsers did
the right thing, and took the users out of the loop. Gutmann talks
about it in detail (with lots of citations).
esteem then opportunistic encryption. Why the browsers choose to
indicate things this way is a mystery.
technical controls. From a security standpoint, DV and EV are
equivalent.
If DNS is authentic, then DANE provides stronger assurances than DV or
EV since the domain operator published the information and the
veracity does not rely on others like CAs (modulo DBOUND).
Not relying on a CA is a good thing since its usually advantageous to
minimize trust (for some definition of "trust"). Plus, CAs don't
really warrant anything, so its not clear what exactly they are
providing to relying parties (they are providing a a signature for
money to the applicant).
Open question: do you think the browsers will support a model other
than the CA Zoo for rooting trust?
<chri...@heutger.net> wrote:
> I see a big danger in the current trend.
Surely you haven't missed the big danger in plain text traffic. That
traffic gets usuroed and fed into susyems like Xkeyscore for Tailored
Access Operations (TAO). In layman's terms, adversaries are using the
information gathered to gain unauthorized access to systems.
> Expecting everyone having a free
> „secure“ certificate and being in requirement to enable HTTPS it will result
> in nothing won. DV certificates (similar to DANE) do finally say absolute
> nothing about the website operator.
The race to the bottom among CAs is to blame for the quality of
verification by the CAs.
With companies like StartCom, Cacert and Mozilla offering free
certificates, there is no barrier to entry.
Plus, I don't think a certificate needs to say anything about the
operator. They need to ensure the server is authenticated. That is,
the public key bound to the DNS name is authentic.
> They ensure encryption, so I can then be
> phished, be scammed, … encrypted. Big advantage!^^
As I understand it, phishers try to avoid TLS because they count on
the plain text channel to avoid all the browser warnings. Peter
Gutmann discusses this in his Engineering Security book
(https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf).
> Pushing real validation
> (e.g. EV with green adressbar and validated details by an independent third
> party, no breakable, spoofable automatism) vs. no validation is much more
> important and should be focussed on.
You should probably read Gutmann's Engineering Security. See his
discussion of "PKI me harder" in Chapter 1 or 6 (IIRC).
Security engineering studies seem to indicate most users don't
> However, this „change“ could come with
> marking HTTP as Non-Secure, but just stating HTTPS as secure is the
> completely wrong sign and will result in more confusion and loosing any
> trust in any kind of browser padlocks than before.
understand the icons. It would probably be better if the browsers did
the right thing, and took the users out of the loop. Gutmann talks
about it in detail (with lots of citations).
+1. In the browser world, plaintext was (still is?) held in higher
> Just a proposal:
>
> Mark HTTP as Non-Secure (similar to self-signed) e.g. with a red padlock or
> sth. similar.
esteem then opportunistic encryption. Why the browsers choose to
indicate things this way is a mystery.
Why green for EV (or why yellow for DV or DANE)? EV does not add any
> Mark HTTPS as Secure (and only secure in favor of encrypted) e.g. with a
> yellow padlock or sth. similar
> Mark HTTPS with Extended Validation (encrypted and validated) as it is with
> a green padlock or sth. similar
technical controls. From a security standpoint, DV and EV are
equivalent.
If DNS is authentic, then DANE provides stronger assurances than DV or
EV since the domain operator published the information and the
veracity does not rely on others like CAs (modulo DBOUND).
Not relying on a CA is a good thing since its usually advantageous to
minimize trust (for some definition of "trust"). Plus, CAs don't
really warrant anything, so its not clear what exactly they are
providing to relying parties (they are providing a a signature for
money to the applicant).
Open question: do you think the browsers will support a model other
than the CA Zoo for rooting trust?
> So indeed an option to declare that despite proper certificates andSounds like you're essentially proposing a flavor of opportunistic
> encryption the site should be treated as of insecure origin is needed. This
> way the page will be shown as if it was served as before with plain http
> with no changes in user experience. But then it cannot be a https site
> since many users still consider that https is enough to assume a secure
> site. Hence the idea of encrypted http:// or something that makes user
> experience with an encrypted page absolutely the same as she has with plain
> http:// down to the browser stripping http:// from the URL.
encryption for http://, right?
That seems somewhat tangential to Chris' original proposal, and there
is probably a healthy debate to be had about this; it may be also
worthwhile to look at SPDY and QUIC. In general, if you're comfortable
with not providing users with a visible / verifiable degree of
transport security, I'm not sure how the proposal changes this?
By the way, note that nothing is as simple as it seems; opportunistic
encryption is easy to suggest, but it's pretty damn hard to iron out
all the kinks. If there is genuinely no distinction between plain old
HTTP and opportunistically encrypted HTTP, the scheme can be
immediately rendered useless by any active attacker, and suffers from
many other flaws (for example, how do you link from within that
opportunistic scheme to other URLs within your application without
downgrading to http:// or upgrading to "real" https://?). Establishing
a new scheme solves that, but doesn't really address your other
concern - you still need to clean up all links. On top of that, it
opens a whole new can of worms by messing around with SOP.
/mz
From an SOP point of view, this is true.
However, it is increasingly less true if you're willing to ignore the (near cataclysmic) SOP failure, as EV gains technical controls such as certificate transparency and pontentially mandatory stronger security settings (e.g. secure ciphersuites in modern TLS, OCSP stapling, etc). Additionally, there are other technical controls (validity periods, key processing) that do offer distinction.
That is, it is not all procedural changes, and UAs can detect and differentiate. While the hope is that these will be able to apply to all sites in the future, any change of this scale takes time.
> If DNS is authentic, then DANE provides stronger assurances than DV or
> EV since the domain operator published the information and the
> veracity does not rely on others like CAs (modulo DBOUND).
>
> Not relying on a CA is a good thing since its usually advantageous to
> minimize trust (for some definition of "trust"). Plus, CAs don't
> really warrant anything, so its not clear what exactly they are
> providing to relying parties (they are providing a a signature for
> money to the applicant).
>
> Open question: do you think the browsers will support a model other
> than the CA Zoo for rooting trust?
Chromium has no plans for this, particularly those based on DNS/DANE, which are empirically less secure and more operationally fraught with peril. I would neither take it as foregone that the CA system cannot improve nor am I confident that any of the known alternatives are either practical or comparable in security to CAs, let alone superior.
On 15 December 2014 at 10:30, Michal Zalewski <lca...@google.com> wrote:
That seems somewhat tangential to Chris' original proposal, and there
is probably a healthy debate to be had about this; it may be also
worthwhile to look at SPDY and QUIC. In general, if you're comfortable
with not providing users with a visible / verifiable degree of
transport security, I'm not sure how the proposal changes this?
Chris' original proposal is a stick. I want to give a site operator also a carrot. That can be an option to activate encryption that is not visible to the user and *receive* from the browser all reports about violations of secure origin policy. This way the operator will know that they can activate HTTPS without worsening user experience and have information that helps to fix the content.
If there is genuinely no distinction between plain old
HTTP and opportunistically encrypted HTTP, the scheme can be
immediately rendered useless by any active attacker
I am not proposing that a user-invisible encryption should stay forever. Rather it should be treated just as a tool to help site operators to transition to the proper https so at no stage the user experience would be worse than continuing to serve pages with plain http.
On 12/15/14 2:03 AM, Igor Bukanov wrote:Serve the HTML page over http: but load all sub-resources over https: as
> Chris' original proposal is a stick. I want to give a site operator also
> a carrot. That can be an option to activate encryption that is not
> visible to the user and *receive* from the browser all reports about
> violations of secure origin policy. This way the operator will know that
> they can activate HTTPS without worsening user experience and have
> information that helps to fix the content.
expected after the transition. Add the following header:
Content-Security-Policy-Report-Only: default-src https:; report-uri <me>
(add "script-src https: 'unsafe-inline' 'unsafe-eval';" if necessary)
This doesn't give you the benefit of encrypting your main HTML content
during the transition as you requested, but it is something that can be
done today. When the reports come back clean enough you can switch the
page content to https too.
-Dan Veditz
I'm a webmaster and I have switched a good 2 months ago (my website is really not huge, around 100K unique monthly visitors, it's a one-man website).
I would say switching was "interesting.
It was easy till I realized I had mixed content on some of my pages ( a visitor tipped me off, it was embarrassing).
Finding/analyzing and solving that tiny problem was hard. I spent 99% of the time spent on switching working on that one little problem.
My biggest problem with switching to HTTPS is that it is time and money and as an independent, non venture backed webmaster my resources are very limited.
I'm not sure there is a positive ROI in switching for a small webmaster like me.
My visitors don't care and/or understand what is HTTPS and why is it better for them.
However, flagging non-secure websites would definitely generate more awareness.
I definitely - and I think a lot of the small guys, who switched already - support this 100%.
On Saturday, December 13, 2014 1:46:39 AM UTC+1, Chris Palmer wrote:
I would say switching was "interesting.
It was easy till I realized I had mixed content on some of my pages ( a visitor tipped me off, it was embarrassing).
Finding/analyzing and solving that tiny problem was hard. I spent 99% of the time spent on switching working on that one little problem.
My biggest problem with switching to HTTPS is that it is time and money and as an independent, non venture backed webmaster my resources are very limited.
I'm not sure there is a positive ROI in switching for a small webmaster like me.
My visitors don't care and/or understand what is HTTPS and why is it better for them.
However, flagging non-secure websites would definitely generate more awareness.
I definitely - and I think a lot of the small guys, who switched already - support this 100%.
On Saturday, December 13, 2014 1:46:39 AM UTC+1, Chris Palmer wrote:
Hi everyone,Apologies to those of you who are about to get this more than once, due to the cross-posting. I'd like to get feedback from a wide variety of people: UA developers, web developers, and users. The canonical location for this proposal is: https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure.Proposal
We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015.
The goal of this proposal is to more clearly display to users that HTTP provides no data security.
Request
We’d like to hear everyone’s thoughts on this proposal, and to discuss with the web community about how different transition plans might serve users.
Background
We all need data communication on the web to be secure (private, authenticated, untampered). When there is no data security, the UA should explicitly display that, so users can make informed decisions about how to interact with an origin.
Roughly speaking, there are three basic transport layer security states for web origins:
Secure (valid HTTPS, other origins like (*, localhost, *));
Dubious (valid HTTPS but with mixed passive resources, valid HTTPS with minor TLS errors); and
Non-secure (broken HTTPS, HTTP).
For more precise definitions of secure and non-secure, see Requirements for Powerful Features and Mixed Content.
We know that active tampering and surveillance attacks, as well as passive surveillance attacks, are not theoretical but are in fact commonplace on the web.
RFC 7258: Pervasive Monitoring Is an Attack
NSA uses Google cookies to pinpoint targets for hacking
Verizon’s ‘Perma-Cookie’ Is a Privacy-Killing Machine
How bad is it to replace adSense code id to ISP's adSense ID on free Internet?
Comcast Wi-Fi serving self-promotional ads via JavaScript injection
Erosion of the moral authority of transparent middleboxes
Transitioning The Web To HTTPS
We know that people do not generally perceive the absence of a warning sign. (See e.g. The Emperor's New Security Indicators.) Yet the only situation in which web browsers are guaranteed not to warn users is precisely when there is no chance of security: when the origin is transported via HTTP. Here are screenshots of the status quo for non-secure domains in Chrome, Safari, Firefox, and Internet Explorer:
Particulars
UA vendors who agree with this proposal should decide how best to phase in the UX changes given the needs of their users and their product design constraints. Generally, we suggest a phased approach to marking non-secure origins as non-secure. For example, a UA vendor might decide that in the medium term, they will represent non-secure origins in the same way that they represent Dubious origins. Then, in the long term, the vendor might decide to represent non-secure origins in the same way that they represent Bad origins.
Ultimately, we can even imagine a long term in which secure origins are so widely deployed that we can leave them unmarked (as HTTP is today), and mark only the rare non-secure origins.
There are several ways vendors might decide to transition from one phase to the next. For example, the transition plan could be time-based:
T0 (now): Non-secure origins unmarked
T1: Non-secure origins marked as Dubious
T2: Non-secure origins marked as Non-secure
T3: Secure origins unmarked
Or, vendors might set thresholds based on telemetry that measures the ratios of user interaction with secure origins vs. non-secure. Consider this strawman proposal:
Secure > 65%: Non-secure origins marked as Dubious
Secure > 75%: Non-secure origins marked as Non-secure
Secure > 85%: Secure origins unmarked
The particular thresholds or transition dates are very much up for discussion. Additionally, how to define “ratios of user interaction” is also up for discussion; ideas include the ratio of secure to non-secure page loads, the ratio of secure to non-secure resource loads, or the ratio of total time spent interacting with secure vs. non-secure origins.
We’d love to hear what UA vendors, web developers, and users think. Thanks for reading!
I'm a small website owner and I believe this proposal will upset a lot of small hosters and website owners. In particular for simple content websites, https is a burden for them, in time, cost and it not adding much value. I don't need to be convinced of the security advantages of this proposal, I'm just looking at the practical aspects of it. Furthermore, as mentioned here there is the issue of mixed content and plugins you don't own or control. I sure hope any such warning message is very subtle, otherwise a lot of traffic will be driven away from websites.
If someone thinks their users are OK with their website not having integrity/authentication/privacy, then why is it problematic that Chrome will start telling users about it? Presumably these users would still be OK with it after Chrome starts making the situation more obvious. (And if the users start disliking it, then perhaps they really were never OK with it in the first place?)
Indeed, the notion that users don't care is based on an ill-founded premise of informed consent.
Here's a copy-pasted comment I made elsewhere on this topic:
Here's a copy-pasted comment I made elsewhere on this topic:
To respect a user's decision, their decision needs to be an informed one, and it needs to be choice. I don't think there's a reasonable basis to say either of those are the case with users using HTTP in favor of HTTPS:
First, is it a choice: given that browsers default to HTTP, when no protocol is explicitly selected, and that many users will access the site via external links that they don't control, I don't think it's fair to say that users choose HTTP, they simply get HTTP.
Second, if we did say they'd made a choice, was an informed one. We, as an industry, have done a very poor job of educating users about the security implications of actions online. I don't believe most non-technical users have an understanding of what the implications of the loss of the Authentication, Integrity, or Confidentiality that coms with preferring HTTP to HTTPS are.
Given the fact that most users don't proactively consent to having their content spied upon or mutated in transit, and insofar as they do, it is not informed consent, I don't believe website authors have any obligation to provide access to content over dangerous protocols like HTTP.
Alex
To unsubscribe from this group and stop receiving emails from it, send an email to securi...@chromium.org.
"If someone thinks their users are OK with their website not having integrity/authentication/privacy"That is an assumption that doesn't apply to every website. Many websites don't even have authentication.
Or perhaps it doesn't, and it scares them away. Just like with the cookie bars, where now every user believes all cookies are evil. You assume users are able to make an informed decision based on such warnings, and I doubt that.
"Presumably these users would still be OK with it after Chrome starts making the situation more obvious."
"Presumably these users would still be OK with it after Chrome starts making the situation more obvious"
On Dec 15, 2014, at 7:10 PM, ferdy.c...@gmail.com wrote:"If someone thinks their users are OK with their website not having integrity/authentication/privacy"
That is an assumption that doesn't apply to every website. Many websites don't even have authentication.
"Presumably these users would still be OK with it after Chrome starts making the situation more obvious."
Or perhaps it doesn't, and it scares them away. Just like with the cookie bars, where now every user believes all cookies are evil. You assume users are able to make an informed decision based on such warnings, and I doubt that.
"Presumably these users would still be OK with it after Chrome starts making the situation more obvious"
If users are unable to make an informed choice than I personally believe it’s up to the User Agent to try and pick what choice the user most likely wants. I have a hard time imagining that most users, if given the choice between allowing anyone in the same coffee shop to read what they are reading and not allowing, would willingly choose HTTP over HTTPS.
---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
"To respect a user's decision, their decision needs to be an informed one, and it needs to be choice. I don't think there's a reasonable basis to say either of those are the case with users using HTTP in favor of HTTPS:"What if a decision doesn't apply, what if the user is unable to be informed and make a proper decision? I don't agree that every action should be decided upon by the end-user, I am much more in favor of education website owners.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.
I think a choice between HTTP and HTTPS by the user doesn't make sense. The choice is different, it is the choice between staying on a HTTP-only site or leaving it alltogether.
On Mon, Dec 15, 2014 at 4:10 PM, <ferdy.c...@gmail.com> wrote:"If someone thinks their users are OK with their website not having integrity/authentication/privacy"
That is an assumption that doesn't apply to every website. Many websites don't even have authentication.
I think there may be some confusion.
"Authentication" here does not refer to "Does the user authenticate themselves to the site" (e.g. do they log in), but "Is the site you're talking to the site you the site you expected" (or, put differently, "Does the server authenticate itself to the user").
Without authentication in this sense (e.g. talking to whom you think you're talking to), anyone can trivially impersonate a server and alter the responses. This is not that hard, a few examples for you about why authentication is important, even for sites without logins:
This is why it's important to know you're talking to the site you're expecting (Authentication), and that no one has modified that site's contents (Integrity).
>Surely you haven't missed the big danger in plain text traffic. ThatWith DV (weak validation) it then goes encrypted to them, I don¹t see the
>traffic gets usuroed and fed into susyems like Xkeyscore for Tailored
>Access Operations (TAO). In layman's terms, adversaries are using the
>information gathered to gain unauthorized access to systems.
advantage. The magic bullet TOR to prevent from being monitored also
showed up, that the expected privacy may be broken. It¹s a good idea but
therefor stepping back from the value of PKIX is the wrong way in my
opinion.
Right, so DV need to be deprecated or set to a recognizable lower level,
>The race to the bottom among CAs is to blame for the quality of
>verification by the CAs.
clearly stating that it¹s only encryption, nothing else.
And no barrier breaking the value of certificate authorities vs.
>With companies like StartCom, Cacert and Mozilla offering free
>certificates, there is no barrier to entry.
self-signed certificates (Cacert is the only good exception, for a good
reason their approach is different).
If a certificate doesn¹t tell, what should tell? How should I be sure to
>Plus, I don't think a certificate needs to say anything about the
>operator. They need to ensure the server is authenticated. That is, the
>public key bound to the DNS name is authentic.
be on www.onlinebanking.de and not www.onlínebanking.de (see the accent)
by getting spoofed or phished? It¹s the same for Facebook.com or
Facebo0k.com, ...
If there is a free certificate for everyone and everything is https, which
>As I understand it, phishers try to avoid TLS because they count on the
>plain text channel to avoid all the browser warnings. Peter Gutmann
>discusses this in his Engineering Security book
>(https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf).
browser warnings should occur?
That¹s what certificates are for. If we only would want to have
>Why green for EV (or why yellow for DV or DANE)? EV does not add any
>technical controls. From a security standpoint, DV and EV are equivalent.
encryption, there would never be any requirement for certificates.
Browsers and servers handle cipher suites, handshakes etc., the
certificate is the digital equivalent to an authorized identity card, and
there for sure DV and EV are different. Security is about confidentiality,
integrity and availability. Confidentiality is the encryption, integrity
is the validation.
From the pure technical standpoint, yes, from the validation standpoint,
>If DNS is authentic, then DANE provides stronger assurances than DV or EV
>since the domain operator published the information and the veracity does
>not rely on others like CAs (modulo DBOUND).
no. DANE has the hazel of compatibility, but it also struggle with harder
mandatory realization of restrictions (online or offline key material, key
sizes, algorithm, debian bug or heart bleed reissue, Š, all the topics,
which recently arised), for pinning validated (EV) certificates, it¹s the
best solution vs. pinning or transparency.
As there is not internet governance, they are the only available
>Not relying on a CA is a good thing since its usually advantageous to
>minimize trust (for some definition of "trust"). Plus, CAs don¹t really
>warrant anything, so its not clear what exactly they are providing to
>relying parties (they are providing a a signature for money to the
>applicant).
alternative. Similar to other agencies existing worldwide, they fetch
money for validation services and warrant for mis-validation. They are
dictated strict rules on how to do and be audited to proof, they follow
this rules. That¹s how auditing currently works in many places and
although it¹s not the optimal system, it¹s the one currently available.
If a reliable, usable and manageable concept will be established, for
>Open question: do you think the browsers will support a model other than
>the CA Zoo for rooting trust?
sure. But as e.g. ISO 27001 establish the same model, there is a company
being paid for stating what they audited is correct and issuing a seal
(being ISO 27001 certified) which end users should trust in.
There's a lot of information here that isn't quite correct, but I would hate to rathole on a discussion of CA security vs the alternatives, which inevitably arises when one discusses HTTPS in public fora.
I think the discussion here is somewhat orthogonal to the proposal at hand, and thus might be best if kept to a separate thread.
The question of whether HTTP is equivalent to HTTPS-DV in security or authenticity is simple - they aren't at all equivalent, an HTTPS-DV provides vastly superior value over HTTP. So whether or not UAs embrace HTTPS-EV is separate. But as a UA vendor, I would say HTTPS-DV has far more appeal for protecting users and providing security than HTTPS-EV, for many of the reasons you've heard on this thread from others (e.g. the challenges regarding mixed HTTPS+HTTP is the same as HTTPS-EV + HTTPS-DV).
So, assuming we have HTTP vs HTTPS-EV/HTTPS-DV, how best should UAs communicate to the user the lack of security guarantees from HTTP.
> So, assuming we have HTTP vs HTTPS-EV/HTTPS-DV, how best should UAs communicate to the user the lack of security guarantees from HTTP.
I would recommend here as mentioned:
No padlock, red bar or red strike, … => no encryption [and no validation], e.g. similar to SHA1 deprecation in worst situation
Only vs. HTTPS: Padlock => everything fine and not red, „normal“ address bar behavior
With EV differentiation: Padlock, yellow bar, yellow signal, … => only encryption, e.g. similar to current mixed content, …
EV: Validation information, Padlock green bar, no extras, … => similar to current EV
Red-Yellow-Green is recognized all other the world, all traffic signals are like this, explanation on what signal means what can be added to the dialog on click. (Red) strike, (yellow) signal, (green) additional validation information follow also the idea
to have people without been able to differentiate colors to understand what happens here.
Please don't try to debate actual presentation ideas on this list. How UAs present various states is something the individual UA's design teams have much more context and experience doing, so debating that sort of thing here just takes everyone's time to no benefit, and is likely to rapidly become a bikeshed in any case.
As the very first message in the thread states, the precise UX changes here are up to the UA vendors. What's more useful is to debate the concept of displaying non-secure origins as non-secure, and how to transition to that state over time.
PK
On 15 December 2014 at 18:54, Daniel Veditz <dve...@mozilla.com> wrote:
Serve the HTML page over http: but load all sub-resources over https: as
expected after the transition. Add the following header:
Content-Security-Policy-Report-Only: default-src https:; report-uri <me>
This is a nice trick! However, it does not work in general due to the use of protocolless-links starting with // . Or should those be discouraged?
Sounds like a CSP-bug to me; scheme-relative URLs are awesome, and we should encourage them (over explicit http://-schemed URLs)
On 16 December 2014 at 01:18, Ryan Sleevi <rsl...@chromium.org> wrote:
"Authentication" here does not refer to "Does the user authenticate
themselves to the site" (e.g. do they log in), but "Is the site you're
talking to the site you the site you expected" (or, put differently, "Does
the server authenticate itself to the user").
With protocols like SRP or J-PAKE authentication in the first sense (log in) also provides authentication in the second sense (protocols ensures mutual authentication between the user and the server without leaking passwords). I wish there would be at least some support in the browsers for these protocols so one could avoid certificates and related problems in many useful cases.
On Tue 16 Dec 2014 06:35, Ryan Sleevi <rsl...@chromium.org> writes:Isn't it an antipattern to make a resource available over HTTP if it is
> scheme-relative URLs are awesome, and we should encourage them (over
> explicit http://-schemed URLs)
available over HTTPS? In all cases you could just use HTTPS; no need to
provide an insecure option.
The one case that I know of when scheme-relative URLs are useful is when
HTTPS is not universally accessible, e.g. when the server only supports
TLSv1.2 and so is not reachable from old Android phones, among other
UAs. In that case scheme-relative URLs allow you to serve the same
content over HTTPS to browsers that speak TLSv1.2 but also have it
available insecurely to older browsers.
If there is mention of scheme-relative URLs in a "Marking HTTP as
Non-Secure" set of guidelines for authors and site operators, it should
be to avoid them in favor of explicitly using the HTTPS scheme.
Andy
I am happy to see this initiative, I consider the current standard
browser UI broken and upside-down. Today, plain http is not trustworthy,
but it still has the "normal" look in browsers. We ought to change this.
A few thoughts:
Users expect that when they come to a site that looks like Facebook, it
is Facebook. They expect any problems to be flagged, and unless there is
a warning, that everything is OK. They do not understand what most
icons/colors and dialogs mean, and are confused by the complexity of
security (and the web in general). A good UI should present the web the
way the user expects it to be presented. Expecting users to spend their
time learning and memorizing various browser UIs (user education) is
arrogant. Starting this discussion from the implementation details is
starting it in the wrong end.
One example of an experimental browser UI is Opera Coast. It goes much
further than cleaning up the security symbols, it removes the entire
address field. It uses a lot of extra background checks, with the aim to
allow users to browse without having to check addresses. If something
seems wrong, it will warn the user ahead of time. This seems to me to be
the ideal, where security is baked into the solution, not tacked on top.
From a user's perspective, it just works. I think revamping address bars
and badges should take the long term goal into consideration as well.
(I'll happily discuss Coast's solutions, but please start a new thread
if so.)
Browsers normally have 3-5 different visual security states in the UI;
normal (no security), DV and EV. Some browsers have special visual
indicators for various types of broken security (dubious, bad, etc). In
addition there are a multitude of corner cases. Although I can see the
use of three states, to support gradual degradation via the middle
state, more than three states is confusing, and the ideal should be
none, as in the above example.
Given three states for now, the question is how we want to display them.
We need one for general unsecured contents. We want one for top
security, i.e. all the latest encryption standards and EV. Then general
encryption would go into the last bucket. Encryption standards will have
to change over time. From a user perspective, a natural way to mark
three states would be as insecure (red/warning), normal (neutral/no
marking) and secure (green/padlock).
There is no need to distinguish unsecured from dubiously secured, they
can just go into the same bucket. There isn't even any need to warn
users about certificate errors, the UI is just downgraded to insecure,
as a self-signed site is no less secure than an http site. There are
technical reasons for the warnings, but those can be bug-fixed. Active
attacks (e.g. certificate replacement to an invalid one, HSTS failure,
revoked certificates, ...) might still be hard-blocked, but note that
this constitutes a fourth state, and the UI is becoming very complicated
already - there are probably better ways to map such cases into the
insecure state, but that is a separate discussion.
One issue is that browser UI is and should be a place for innovation,
not rigid specifications. At the same time, users would clearly benefit
from consistent and good UI. Diverging from the de-facto UI standard
towards a better one comes with a cost for browsers, and they might not
have the incentive to do so. A coordinated move towards a better future
would be good, as long as we avoid the hard limitations. Regardless of
this discussion, we do need better coordination for removing old crypto
standards (SHA-1, SSLv3, RC4, ...) from the "secure" bucket in the UI.
In short, I am all for a coordinated move, but there needs to be space
for browsers to innovate as well.
In terms of the transition plan, I think a date-based plan is the only
thing which will work. This gives all parties time to prepare, they know
when the next phase will start, and nobody will be arguing if we have
reached a milestone or not. It also avoids any deadlocks where the next
phase is needed to push the web to the state where the next phase will
begin. Any ambitious timeline will fail to get all players on board. A
multi-year plan is still better than the resulting user confusion if
browsers move on their own.
BTW, have you explicitly contacted other browser teams?
--
Sigbjørn Vik
Opera Software
browser UI broken and upside-down. Today, plain http is not trustworthy,
but it still has the "normal" look in browsers. We ought to change this.
A few thoughts:
Users expect that when they come to a site that looks like Facebook, it
is Facebook. They expect any problems to be flagged, and unless there is
a warning, that everything is OK. They do not understand what most
icons/colors and dialogs mean, and are confused by the complexity of
security (and the web in general). A good UI should present the web the
way the user expects it to be presented. Expecting users to spend their
time learning and memorizing various browser UIs (user education) is
arrogant. Starting this discussion from the implementation details is
starting it in the wrong end.
One example of an experimental browser UI is Opera Coast. It goes much
further than cleaning up the security symbols, it removes the entire
address field. It uses a lot of extra background checks, with the aim to
allow users to browse without having to check addresses. If something
seems wrong, it will warn the user ahead of time. This seems to me to be
the ideal, where security is baked into the solution, not tacked on top.
From a user's perspective, it just works. I think revamping address bars
and badges should take the long term goal into consideration as well.
(I'll happily discuss Coast's solutions, but please start a new thread
if so.)
Browsers normally have 3-5 different visual security states in the UI;
normal (no security), DV and EV. Some browsers have special visual
indicators for various types of broken security (dubious, bad, etc). In
addition there are a multitude of corner cases. Although I can see the
use of three states, to support gradual degradation via the middle
state, more than three states is confusing, and the ideal should be
none, as in the above example.
Given three states for now, the question is how we want to display them.
We need one for general unsecured contents. We want one for top
security, i.e. all the latest encryption standards and EV. Then general
encryption would go into the last bucket. Encryption standards will have
to change over time. From a user perspective, a natural way to mark
three states would be as insecure (red/warning), normal (neutral/no
marking) and secure (green/padlock).
There is no need to distinguish unsecured from dubiously secured, they
can just go into the same bucket. There isn't even any need to warn
users about certificate errors, the UI is just downgraded to insecure,
as a self-signed site is no less secure than an http site. There are
technical reasons for the warnings, but those can be bug-fixed. Active
attacks (e.g. certificate replacement to an invalid one, HSTS failure,
revoked certificates, ...) might still be hard-blocked, but note that
this constitutes a fourth state, and the UI is becoming very complicated
already - there are probably better ways to map such cases into the
insecure state, but that is a separate discussion.
One issue is that browser UI is and should be a place for innovation,
not rigid specifications. At the same time, users would clearly benefit
from consistent and good UI. Diverging from the de-facto UI standard
towards a better one comes with a cost for browsers, and they might not
have the incentive to do so. A coordinated move towards a better future
would be good, as long as we avoid the hard limitations. Regardless of
this discussion, we do need better coordination for removing old crypto
standards (SHA-1, SSLv3, RC4, ...) from the "secure" bucket in the UI.
In short, I am all for a coordinated move, but there needs to be space
for browsers to innovate as well.
In terms of the transition plan, I think a date-based plan is the only
thing which will work. This gives all parties time to prepare, they know
when the next phase will start, and nobody will be arguing if we have
reached a milestone or not. It also avoids any deadlocks where the next
phase is needed to push the web to the state where the next phase will
begin. Any ambitious timeline will fail to get all players on board. A
multi-year plan is still better than the resulting user confusion if
browsers move on their own.
BTW, have you explicitly contacted other browser teams?
--
Sigbjørn Vik
Opera Software
On Tue, Dec 16, 2014 at 5:59 AM, Sigbjørn Vik <sigb...@opera.com> wrote:Well, we do have to make sure that the browser does not send cookies
> There is no need to distinguish unsecured from dubiously secured, they
> can just go into the same bucket. There isn't even any need to warn
> users about certificate errors, the UI is just downgraded to insecure,
> as a self-signed site is no less secure than an http site. There are
> technical reasons for the warnings, but those can be bug-fixed. Active
> attacks (e.g. certificate replacement to an invalid one, HSTS failure,
> revoked certificates, ...) might still be hard-blocked, but note that
> this constitutes a fourth state, and the UI is becoming very complicated
> already - there are probably better ways to map such cases into the
> insecure state, but that is a separate discussion.
to an impostor origin. That's (1 reason) why Chrome uses interstitial
warnings today.
We could do away with interstitials if the definition of the origin
included some notion of cryptographic identity — e.g. (HTTPS,
facebook.com, 443, [set of pinned keys]) instead of just (HTTPS,
facebook.com, 443) — but there'd still be problems with that, and very
few site operators are currently able to commit to pinning right now.
(And, that might never change.)
This mass mailing is that.
> BTW, have you explicitly contacted other browser teams?
First of all, some change along these lines is absolutely necessary is it closes a huge hole that has been successfully exploited since the Netscape days. That is, while browsers indicate positive security for TLS, they make no indication at all in the case no security, leaving ample room for website content to fill that void. Call this the "Green padlock favicon" problem if you like.
Some notable points:
Given these roughly 3 distinct scenarios with respect to connection status:
A: The connection is successfully secured. (HTTPS)
B: No security was attempted. (HTTP)
C: Securing the connection has failed. (Certificate validation failure)
A few people have said that B and C are roughly identical from a security perspective and could be represented as the same state -- in both cases no security is provided. I would disagree here. In the case of the failed certificate verification, the client has attempted to secure the connection and that attempt has failed. In the case of HTTP, the client made no indication of a preference for security. While scenario B represents the *absence* of security, scenario C represents the *failure* of security, and is therefore more troublesome. While we want to raise the awareness of scenario B, we shouldn't promote it to the severity of scenario C. Doing so conflates two very different cases and failure modes; while both represent the absence of verifiable transport security, the latter indicates that the user's expressed expectation of security has not been met, while the former simply reflects the absence of any expectation of security.
With respect to EV vs DV/DANE certificates, that discussion should be completely separate from this. No further comment necessary.
Finally, it's worth noting that reports from the field in response to the Chrome SHA-1 sunsetting initiative have shown that even the most minor of warnings has a measurable impact on site operators. I've received many reports from operators large and small indicating visible losses of revenue due to the nearly-hidden warning Chrome currently displays for a SHA-1 cert with a long expiration. This suggests that the UX changes surrounding security needn't initially be intrusive to have a strong impact on site operations. An unobtrusive but centrally-located notice to the effect of "your connection has not been secured" is indisputably accurate, conveys no bias or agenda, and yet can be expected to produce a sea-change of behavior for site operators.
It's like bike locks: they're functional and highly visible, but also optional. Still, if one day someone started putting up signs saying "this bike has no lock", even though it's telling you nothing you couldn't already see, behavior would immediately change.
On 17-Dec-14 08:48, tyl...@google.com wrote:I respectfully, but strongly, disagree :) If you want to separate the
> Given these roughly 3 distinct scenarios with respect to connection status:
>
> A: The connection is successfully secured. (HTTPS)
> B: No security was attempted. (HTTP)
> C: Securing the connection has failed. (Certificate validation failure)
>
> A few people have said that B and C are roughly identical from a
> security perspective and could be represented as the same state -- in
> both cases no security is provided. I would disagree here. In the case
> of the failed certificate verification, the client has attempted to
> secure the connection and that attempt has failed. In the case of HTTP,
> the client made no indication of a preference for security. While
> scenario B represents the *absence* of security, scenario C represents
> the *failure* of security, and is therefore more troublesome. While we
> want to raise the awareness of scenario B, we shouldn't promote it to
> the severity of scenario C. Doing so conflates two very different cases
> and failure modes; while both represent the absence of verifiable
> transport security, the latter indicates that the user's expressed
> expectation of security has not been met, while the former simply
> reflects the absence of any expectation of security.
states, I'd say that C is better than B. C has *some* security, B has
*none*. Consider a self-signed certificate, where the site owner chooses
to provide what little security he can, this is still much better than
plain old http. Or a certificate expired by one day, which is the same
certificate that the browser has seen on that site for the 2 years past,
this is still way better than B.
If a malicious actor can get write access to a page with status C, he
can immediately change the security level to status B anyway. Redirect
the page to http://official-looking.subdomain-facebook.com, and present
B, so displaying B as better doesn't help users much against attacks. If
a malicious actor does not have write access to a page with status C,
then status C is already better than status B. If the browser can detect
an active attack (like the login form having moved to http from https or
replacement of a good certificate by a bad one) then the browser should
of course warn against the attack, but that is a different scenario.
In most cases, users type 'facebook.com', and give no preference for
security. Any such preference is a server preference. The same holds for
clicking links, the user has no expectation of where he will be taken.
For bookmarks, or cases where the user explicitly types 'https://', the
user might have an expectation of security. If he does, and the security
level of the page indicates either B or C, he should immediately be
alerted anyway. If you think this indicates an explicit preference for
security, then the browser could warn similar to an active attack in
these cases.
But my main point against this is still that you need an entire
paragraph to explain the difference, to people who already know the
background. A user wants to know if he is secure or not, not if his
'facebook.com' request was intercepted on the way and replaced by a http
MiTM (status B, really bad), or if 'facebook.com' made a bug leaving you
exposed (status C, pretty bad). Most users wouldn't understand the
difference. I consider it arrogant trying to force users to understand
the difference, most users just want to go to facebook, not get a
lecture on internet safety. I consider it harmful to try to display the
difference, as the more states we have in the UI, the more users have to
learn, which means they will remember less, and the states become less
meaningful. Keep it simple, and keep to user expectations, not
implementation details.
As a consumer buying bread, you want to know if the bread is safe to eat
or not. Whether the farmer tried to control pesticide usage and failed,
or he didn't try to control it, makes little difference. Professional
health and safety inspectors (akin to browser and web developers) are
about the only ones who care.
Are you able to share more details on this?
> I've
> received many reports from operators large and small indicating
> visible
> losses of revenue due to the nearly-hidden warning Chrome currently
> displays for a SHA-1 cert with a long expiration.
On 16. des. 2014 21:10, 'Chris Palmer' via Security-dev wrote:I've been experimenting with a Chromium patch where the url context is
> Well, we do have to make sure that the browser does not send cookies
> to an impostor origin. That's (1 reason) why Chrome uses interstitial
> warnings today.
given two cookie stores, "standard" and "insecure https" (this being
adapted to the current scheme where we don't warn about http). After the
connection has been established but before the request is sent, the
appropriate cookies are picked from the stores based on the security
state of the connection. Secure cookies going over a good tls
connection and all http cookies are picked from the "normal" store,
while secure cookies going over a bad tls connection is picked from the
"insecure https" store. This stops secure cookies received on a good
connection from being sent to an imposter origin.
However, to remove the interstitial warning, most offline storages would
have to be separated into two caches, to avoid cache poisoning. Examples
are appcache, service workers, fileapi, dom storage, indexed db and the
standard disk cache. This would be a huge undertaking to get right and
maintain.
Separating the cookie store still has some value even without removing
the interstitial warning though.
Hopefully all the relevant Browser UI teams read these lists.
>> BTW, have you explicitly contacted other browser teams?
> This mass mailing is that.
--
---
Opera Software
We plan to continue treating B and C differently. If there is a validation failure (C), Chrome will show a full-page interstitial. That will not be the case for HTTP (B). They will look the same in the URL bar because they are both insecure but the overall experience will be quite different.
On 17-Dec-14 17:22, 'Adrienne Porter Felt' via Security-dev wrote:Looking the same in the URL bar is already a good improvement on today.
> We plan to continue treating B and C differently. If there is a
> validation failure (C), Chrome will show a full-page interstitial. That
> will not be the case for HTTP (B). They will look the same in the URL
> bar because they are both insecure but the overall experience will be
> quite different.
However, the interstitial will continue to provide a negative incentive
to webmasters to attempt to apply security, as if they get it wrong,
users get a worse experience. Going for http might just be the safer
choice. The interstitial thus has the opposite effect of what this
proposal aims to achieve.
In an ideal world, where there were no technical reasons for the
interstitial (meaning the browser wouldn't leak cookies or other data
and the user would be at least as secure as when using http), would you
still want to show it to users? And if so why?
> <mailto:sigb...@opera.com>> wrote:
> On Wed, Dec 17, 2014 at 3:52 AM, Sigbjørn Vik <sigb...@opera.com
> In most cases, users type 'facebook.com <http://facebook.com>', and
> give no preference for> 'facebook.com <http://facebook.com>' request was intercepted on the
> security. Any such preference is a server preference. The same holds for
> clicking links, the user has no expectation of where he will be taken.
> For bookmarks, or cases where the user explicitly types 'https://', the
> user might have an expectation of security. If he does, and the security
> level of the page indicates either B or C, he should immediately be
> alerted anyway. If you think this indicates an explicit preference for
> security, then the browser could warn similar to an active attack in
> these cases.
>
> But my main point against this is still that you need an entire
> paragraph to explain the difference, to people who already know the
> background. A user wants to know if he is secure or not, not if his
> way and replaced by a http> <http://facebook.com>' made a bug leaving you
> MiTM (status B, really bad), or if 'facebook.com
> exposed (status C, pretty bad). Most users wouldn't understand the
> difference. I consider it arrogant trying to force users to understand
> the difference, most users just want to go to facebook, not get a
> lecture on internet safety. I consider it harmful to try to display the
> difference, as the more states we have in the UI, the more users have to
> learn, which means they will remember less, and the states become less
> meaningful. Keep it simple, and keep to user expectations, not
> implementation details.
>
> As a consumer buying bread, you want to know if the bread is safe to eat
> or not. Whether the farmer tried to control pesticide usage and failed,
> or he didn't try to control it, makes little difference. Professional
> health and safety inspectors (akin to browser and web developers) are
> about the only ones who care.
>
> > I've
> > received many reports from operators large and small indicating
> > visible
> > losses of revenue due to the nearly-hidden warning Chrome currently
> > displays for a SHA-1 cert with a long expiration.
>
> Are you able to share more details on this?
>
> --
> Sigbjørn Vik
> Opera Software
>
> To unsubscribe from this group and stop receiving emails from it, send> an email to securi...@chromium.org
> <mailto:security-dev+unsubscribe@chromium.org>.
On Wed, Dec 17, 2014 at 12:52 PM, Sigbjørn Vik <sigb...@opera.com> wrote:You would advocate not blocking on certificate failures and just hand
> I respectfully, but strongly, disagree :) If you want to separate the
> states, I'd say that C is better than B. C has *some* security, B has
> *none*.
over credentials to network attackers? What would happen exactly when
you visit e.g. google.com from the airport (connected to something
with a shitty captive portal)?
--
https://annevankesteren.nl/
As a web developer, I feel that this proposal is missing the point somewhat.
For the typical end-user browsing general purpose sites, the biggest risk is not interception of traffic, but vulnerabilities on the back-end, and HTTPS does absolutely nothing to address this.
Making a more prominent indication of site "security" risks mis-interpretation by end users that their data is in fact secure, which is not the case in reality - especially since most users won't differentiate between transport security and back-end security.
Additionally, many sites simply don't have the type of content or interaction that requires the added complexity of HTTPS, even if it's perceived as an easy upgrade in tech circles. An overly intrusive "non-secure" indicator could lead to end-user confusion in these cases.
After users realise that these sites are not in fact stealing their data, the effectiveness of the indicator as a valid tool is diminished, since it has already flagged a false positive in the eyes of the end user.
I believe these and other nuances should be carefully taken into account when considering this proposition.
For the typical end-user browsing general purpose sites, the biggest risk is not interception of traffic, but vulnerabilities on the back-end, and HTTPS does absolutely nothing to address this.
Making a more prominent indication of site "security" risks mis-interpretation by end users that their data is in fact secure, which is not the case in reality - especially since most users won't differentiate between transport security and back-end security.
Additionally, many sites simply don't have the type of content or interaction that requires the added complexity of HTTPS, even if it's perceived as an easy upgrade in tech circles. An overly intrusive "non-secure" indicator could lead to end-user confusion in these cases.
After users realise that these sites are not in fact stealing their data, the effectiveness of the indicator as a valid tool is diminished, since it has already flagged a false positive in the eyes of the end user.
I believe these and other nuances should be carefully taken into account when considering this proposition.
My comment will focus on the Non-secure (broken HTTPS, HTTP). There is a significant and extremely important security difference between broken HTTPS and HTTP. Assuming the webmaster and web developer properly chose HTTP, it is not intended to be secure but intended for everybody to see. Broken HTTPS is intended to be secure but is not, again same assumption of proper choice by webmaster and web developer. The message to the user should not be the same. Broken HTTPS deserves an alarming declaration of being insecure to warn the user. HTTP deserves a more gentle reminder message that it is not intended to be secure. If the page content on a HTTP page includes password fields or other clearly identifiable sensitive content fields, then that deserves the same treatment as broken HTTPS.
Webmasters and web developers should be making the appropriate choices for HTTP and HTTPS. Not all web content needs to be served via HTTPS. Users will suffer from alert overload and begin to ignore the important alerts. The simple fact a site is HTTP does not deserve an alert, it depends on the content and context.
I did notice a few comments identifying possible issues when trying to serve include HTTP in an HTTPS page. That is insecure and should not be expected to work. Mixed HTTPS and HTTP has long been identified to users as a security issue and should continue to be.
Webmasters and web developers should be making the appropriate choices for HTTP and HTTPS. Not all web content needs to be served via HTTPS. Users will suffer from alert overload and begin to ignore the important alerts. The simple fact a site is HTTP does not deserve an alert, it depends on the content and context.
I did notice a few comments identifying possible issues when trying to serve include HTTP in an HTTPS page. That is insecure and should not be expected to work. Mixed HTTPS and HTTP has long been identified to users as a security issue and should continue to be.
On 17-Dec-14 18:17, Anne van Kesteren wrote:My comment above is about the relative security of http versus
> On Wed, Dec 17, 2014 at 12:52 PM, Sigbjørn Vik <sigb...@opera.com> wrote:
>> I respectfully, but strongly, disagree :) If you want to separate the
>> states, I'd say that C is better than B. C has *some* security, B has
>> *none*.
>
> You would advocate not blocking on certificate failures
> and just hand
> over credentials to network attackers?
non-perfect https. In most cases, non-perfect https is better. In some
cases, they are equally bad.[*]
Another topic is how to deal with broken https. Browsers today present
the user with an interstitial designed to allow him to shoot himself in
the foot, after which they leak any cached secure data to the broken
site. I consider that leakage a bug.
Assuming interstitials were replaced with cache separation:
> What would happen exactly when
> you visit e.g. google.com from the airport (connected to something
> with a shitty captive portal)?
The browser would detect that this isn't the same secure google you
talked to yesterday, and not share any data you got from google
yesterday with the captive portal. Once you reconnect to the authentic
google, the browser would use the first set of data again.
17.12.2014, 20:19, "Anne van Kesteren" <ann...@annevk.nl>:
This is a pretty interesting use case. When you connect at the airport, the typical first thing that happens is you get a warning saying that the site you want to connect to has the wrong certificate (you went to pogoda.yandex.ru but the certtificate is for airport.logins.aero, or 1.1.1.1).
If you are me, you wrestle with the interface until you find out how to connect anyway, and hope that it doesn't remember this for other places (and that I do).
so having handed over your credit card details to get 30 minutes of connection time, you're in a hurry (your plane will leave soon, and you still haven't told Mum you're hoping she will collect you when you land).
If you're visiting google.com, it's hard to see what the next interstitial does that is useful. To take the standard Coast example, if you went to myAe.ro every day for the last month, and their certificate expired yesterday but hasn't changed, I think the answer is pretty clear.
If it expired last month, and you've been using it for a year, there may be an issue. If it is brand new and registered to someone else, there might well be an issue even though the certificate itself looks good…
just some thinking out loud…
cheers
--
Charles McCathie Nevile - web standards - CTO Office, Yandex
cha...@yandex-team.ru - - - Find more at http://yandex.com
On Wednesday, December 17, 2014 7:44:59 PM UTC+1, cha...@yandex-team.ru wrote:
511 Network Authentication Required?
There is http://tools.ietf.org/html/rfc6585#section-6 for that. Chromium bug is https://code.google.com/p/chromium/issues/detail?id=114929 , Firefox has their own as well. As far as I know this only works for HTTP connections. There really is no reasonable way how the airport can step into an HTTPS connection and demand authentication without causing a certificate error. There is experimantal https://tools.ietf.org/rfc/rfc2521.txt which suggests an ICMP packet "Need Authorization", but as I said, it is experimantal. Am I missing something?
This is a pretty interesting use case. When you connect at the airport, the typical first thing that happens is you get a warning saying that the site you want to connect to has the wrong certificate (you went to pogoda.yandex..ru but the certtificate is for airport.logins.aero, or 1.1.1.1).--
Charles McCathie Nevile - web standards - CTO Office, Yandex
511 Network Authentication Required?
There is http://tools.ietf.org/html/rfc6585#section-6 for that. Chromium bug is https://code.google.com/p/chromium/issues/detail?id=114929 , Firefox has their own as well. As far as I know this only works for HTTP connections. There really is no reasonable way how the airport can step into an HTTPS connection and demand authentication without causing a certificate error. There is experimantal https://tools.ietf.org/rfc/rfc2521.txt which suggests an ICMP packet "Need Authorization", but as I said, it is experimantal. Am I missing something?
This gradual roll out of the UI hints that is being proposed now would help shift attention to such problems. The problems won't be solved until we get to a state we (actually, you ;) truly _need_ to be solving them.
On Wed, Dec 17, 2014 at 2:27 PM, <software...@gmail.com> wrote:
Am I missing something?
The way Android and Chrome OS detect captive portals is to issue requests to a known HTTP URL that should only send 204 responses, and anything else indicates some action is required on behalf of the user. See: http://www.chromium.org/chromium-os/chromiumos-design-docs/network-portal-detection
As a longer term solution, I like the idea of announcing captive portal logins via DHCP (e.g., draft-wkumari-dhc-capport).
User Interface suggestions:
I think coloring the address bar background is the way to go.
Small icons are too easily missed, and even if every browser agreed to use the same icon, (unlikely) they would likely be placed differently. Also, error messages are likely to be ignored by non-techies who will not understand them.
As for suggested colors, red, yellow and green have a universal meaning.
With that in mind, I suggest starting with
HTTP - yellow background
HTTPS lite green background
HTTPS with EV certificate darker green background
Then, phase two might be:
HTTP: red background
HTTPS with mixed mode: yellow background
HTTPS: still light green
HTTPS with EV cert: still dark green
To further emphasize the red and/or yellow, the entire browser window might be framed in that color, along the lines of what Sandboxie does.
I would also add an explanation of the colors right in the address bar. The word "color" with a white "i" in a blue circle should be obvious as the explanation. Clicking it (or perhaps just hovering on mouse based OSs) should popup a description of what the colors mean.
I think coloring the address bar background is the way to go.
Small icons are too easily missed, and even if every browser agreed to use the same icon, (unlikely) they would likely be placed differently. Also, error messages are likely to be ignored by non-techies who will not understand them.
As for suggested colors, red, yellow and green have a universal meaning.
With that in mind, I suggest starting with
HTTP - yellow background
HTTPS lite green background
HTTPS with EV certificate darker green background
Then, phase two might be:
HTTP: red background
HTTPS with mixed mode: yellow background
HTTPS: still light green
HTTPS with EV cert: still dark green
To further emphasize the red and/or yellow, the entire browser window might be framed in that color, along the lines of what Sandboxie does.
I would also add an explanation of the colors right in the address bar. The word "color" with a white "i" in a blue circle should be obvious as the explanation. Clicking it (or perhaps just hovering on mouse based OSs) should popup a description of what the colors mean.
18.12.2014, 01:27, "software...@gmail.com" <software...@gmail.com>:
On Wednesday, December 17, 2014 7:44:59 PM UTC+1, cha...@yandex-team.ru wrote:This is a pretty interesting use case. When you connect at the airport, the typical first thing that happens is you get a warning saying that the site you want to connect to has the wrong certificate (you went to pogoda.yandex.ru but the certtificate is for airport.logins.aero, or 1.1.1.1).--
Charles McCathie Nevile - web standards - CTO Office, Yandex
511 Network Authentication Required?
There is http://tools.ietf.org/html/rfc6585#section-6 for that. Chromium bug is https://code.google.com/p/chromium/issues/detail?id=114929 , Firefox has their own as well. As far as I know this only works for HTTP connections. There really is no reasonable way how the airport can step into an HTTPS connection and demand authentication without causing a certificate error.
There is a certificate error. The point is that since it is expected behaviour, I get trained to say "yeah, whatever" so I can pay for the connection I need. Despite the fact that it is very difficult to be *sure* that the error is not actually a real problem.
I'd love to see a better situation relying on a proper standard.
But in general I don't.
There is experimantal https://tools.ietf.org/rfc/rfc2521.txt which suggests an ICMP packet "Need Authorization", but as I said, it is experimantal. Am I missing something?This gradual roll out of the UI hints that is being proposed now would help shift attention to such problems. The problems won't be solved until we get to a state we (actually, you ;) truly _need_ to be solving them.
Sure. But this turns out to be a case where right now there is a problem, and instead of *solving* it it seems that "the world" (or at least the parts I see, which is quite a lot by geography) is instead finding a quick workaround that gets them where they were going - at the cost of learning to ignore a potentially serious problem.
On the whole I think this discussion is valuable, and the proposal makes sense. But I have concerns about whether we really understand the things that are going to change and the implications, so use cases like this are important to find and make sure we understand.
cheers
--
Charles McCathie Nevile - web standards - CTO Office, Yandex
cha...@yandex-team.ru - - - Find more at http://yandex.com
Inline
On Dec 18, 2014 1:07 AM, <cha...@yandex-team.ru> wrote:
>
>
>
> 18.12.2014, 01:27, "software...@gmail.com" <software...@gmail.com>:
>>
>> On Wednesday, December 17, 2014 7:44:59 PM UTC+1, cha...@yandex-team.ru wrote:
>>>
>>> This is a pretty interesting use case. When you connect at the airport, the typical first thing that happens is you get a warning saying that the site you want to connect to has the wrong certificate (you went to pogoda.yandex.ru but the certtificate is for airport.logins.aero, or 1.1.1.1).
>>> --
>>> Charles McCathie Nevile - web standards - CTO Office, Yandex
>>
>>
>> 511 Network Authentication Required?
>>
>> There is http://tools.ietf.org/html/rfc6585#section-6 for that. Chromium bug is https://code.google.com/p/chromium/issues/detail?id=114929 , Firefox has their own as well. As far as I know this only works for HTTP connections. There really is no reasonable way how the airport can step into an HTTPS connection and demand authentication without causing a certificate error.
>
>
> There is a certificate error. The point is that since it is expected behaviour, I get trained to say "yeah, whatever" so I can pay for the connection I need. Despite the fact that it is very difficult to be *sure* that the error is not actually a real problem.
>
> I'd love to see a better situation relying on a proper standard.
>
> But in general I don't.
>
I'm not sure if it's terribly germane to the HTTP-being-indicated-as-not-secure to rathole too much on the ways that HTTPS can be messed with, but I will simply note that the Chrome Security Enamel team are working on ways to better detect and manage this.
While we can wish for better standards, this is an area where standards compliant devices take years to become even remotely ubiquitous. As such, a heuristic based approach on the way the world is, at least with respective to captive portals that actively try to disrupt and compromise users' connections.
>>
>> There is experimantal https://tools.ietf.org/rfc/rfc2521.txt which suggests an ICMP packet "Need Authorization", but as I said, it is experimantal. Am I missing something?
>>
>> This gradual roll out of the UI hints that is being proposed now would help shift attention to such problems. The problems won't be solved until we get to a state we (actually, you ;) truly _need_ to be solving them.
>
>
> Sure. But this turns out to be a case where right now there is a problem, and instead of *solving* it it seems that "the world" (or at least the parts I see, which is quite a lot by geography) is instead finding a quick workaround that gets them where they were going - at the cost of learning to ignore a potentially serious problem.
>
> On the whole I think this discussion is valuable, and the proposal makes sense. But I have concerns about whether we really understand the things that are going to change and the implications, so use cases like this are important to find and make sure we understand.
>
> cheers
>
> --
> Charles McCathie Nevile - web standards - CTO Office, Yandex
> cha...@yandex-team.ru - - - Find more at http://yandex.com
>
As noted elsewhere, we aren't trying to boil the ocean, and though I certainly accept the concerns are valid (and, as mentioned above, are already being independently worked on), I think we should be careful how much we fixate on these issues versus considering the broader philosophical issues this proposal is bringing forward.
There are certainly awful things in the world of HTTPS, on a variety of fronts. And yet, despite those warts, we would be misleading ourselves and others to think that insecure transports such as HTTP - ones actively disrupted for commercial gain, "value" adding, or malicious havoc and ones that are passively monitored on widespread, pervasive scale - represent the desirable state of where we want to be or go.
I think the end goal is more robust - we want a world where users are not only safe by default, but they expect that, and can understand what makes them unsafe. Though some of these may be outside our ken as UAs - for example, we have limited ability to know you're running a three year old version of phpBB that is owned harder than Sony Pictures and has more remote exploits than msasn1.dll - there are things we do know and should communicate. One of them is that the assumption many users have - that their messages are shared only between them and the server - is not true unless the server operator is conscientious.
On 12/18/2014 04:07 AM, cha...@yandex-team.ru wrote:This is the closest thing to a standard for dealing with this situation
> There is a certificate error. The point is that since it is expected behaviour,
> I get trained to say "yeah, whatever" so I can pay for the connection I need.
> Despite the fact that it is very difficult to be *sure* that the error is not
> actually a real problem.
> I'd love to see a better situation relying on a proper standard.
> But in general I don't.
that i know of:
https://tools.ietf.org/html/draft-wkumari-dhc-capport
Until this mechanism is deployed, when you believe that you will be on
such a network, and you are willing to expose yourself to their
middlebox devices, you should *not* accept the bogus cert. Accepting
the bogus cert potentially means sending the middlebox the cookies that
you would have sent to the desired origin, which is a Bad Thing.
Instead, you should open a new browser window and point it at
http://www.example.org/, which does not use https, and so can be
rewritten/hijacked by the captive portal situation however they like.
This is a clunky mess, of course, but that's the nature of captive portals.
--dkg
On 13/12/14 00:46, Chris Palmer wrote:
> We, the Chrome Security Team, propose that user agents (UAs) gradually
> change their UX to display non-secure origins as affirmatively non-secure.
> We intend to devise and begin deploying a transition plan for Chrome in
> 2015.
I think this is a good idea - in fact, it's essential if we are to make
secure the 'new normal'.
I agree that a phased transition plan based on telemetry thresholds is
the right thing. This is a collective action problem ("Chrome tells me
this site is insecure, but Firefox is fine - so I'll use Firefox") and
so it would be awesome if we could get cross-browser agreement on what
the thresholds were and how they were measured.
I wonder whether we could make a start by marking non-secure origins in
a neutral way, as a step forward from not marking them at all. Straw-man
proposal for Firefox: replace the current greyed-out globe which appears
where the lock otherwise is with a black eye icon. When clicked, instead
of saying:
"This website does not supply identity information.
Your connection to this website is not encrypted."
it has a larger eye icon, and says something like:
"This web page was transferred over a non-secure connection, which means
that the information could have been (was probably?!) intercepted and
read by a third party while in transit."
There are many degrees of this; let's start moving this way.
Gerv
> We, the Chrome Security Team, propose that user agents (UAs) gradually
> change their UX to display non-secure origins as affirmatively non-secure.
> We intend to devise and begin deploying a transition plan for Chrome in
> 2015.
I think this is a good idea - in fact, it's essential if we are to make
secure the 'new normal'.
I agree that a phased transition plan based on telemetry thresholds is
the right thing. This is a collective action problem ("Chrome tells me
this site is insecure, but Firefox is fine - so I'll use Firefox") and
so it would be awesome if we could get cross-browser agreement on what
the thresholds were and how they were measured.
I wonder whether we could make a start by marking non-secure origins in
a neutral way, as a step forward from not marking them at all. Straw-man
proposal for Firefox: replace the current greyed-out globe which appears
where the lock otherwise is with a black eye icon. When clicked, instead
of saying:
"This website does not supply identity information.
Your connection to this website is not encrypted."
it has a larger eye icon, and says something like:
"This web page was transferred over a non-secure connection, which means
that the information could have been (was probably?!) intercepted and
read by a third party while in transit."
There are many degrees of this; let's start moving this way.
Gerv
> Roughly speaking, there are three basic transport layer security states for web origins:
>
> Secure (valid HTTPS, other origins like (*, localhost, *));
> Dubious (valid HTTPS but with mixed passive resources, valid HTTPS with minor TLS errors); and
> Non-secure (broken HTTPS, HTTP).
I'd like to propose consideration of a fourth category:
Personal Devices (home routers, printers, IoT, raspberry pis in classrooms, refrigerators):
- cannot, by nature, participate in DNS and CA systems
- likely on private network block
- user is the owner of the service, hence can trust self rather than CA
Suggested use:
- IoT devices generate unique, self-signed cert
- Friendlier interstitial (Ie. "Is this a device you recognize?") for self-signed connections on *.local, 192.168.*, 10.*, or on same local network as browser.
- user approves use on first https connection
- browser remembers (device is promoted to "secure" status)
A lot of IoT use cases could benefit from direct connection (not requiring a cloud service as secure data proxy), but this currently gives the scariest of Chrome warnings. This is probably why the average home router or firewall is administered over http.
On Thu, Dec 18, 2014 at 9:14 AM, Gervase Markham <ge...@mozilla.org> wrote:Woo hoo! :)
> I think this is a good idea - in fact, it's essential if we are to make
> secure the 'new normal'.
We don't currently have any hard thresholds, just numbers that I kind
> I agree that a phased transition plan based on telemetry thresholds is
> the right thing. This is a collective action problem ("Chrome tells me
> this site is insecure, but Firefox is fine - so I'll use Firefox") and
> so it would be awesome if we could get cross-browser agreement on what
> the thresholds were and how they were measured.
of made up. Any suggestions?
Also, shall we measure resource loads, top-level navigations, minutes
spent looking at the top-level origin, ...? Probably all of those and
more...
Yeah, that sounds good.
> I wonder whether we could make a start by marking non-secure origins in
> a neutral way, as a step forward from not marking them at all. Straw-man
> proposal for Firefox: replace the current greyed-out globe which appears
> where the lock otherwise is with a black eye icon. When clicked, instead
> of saying:
>
> "This website does not supply identity information.
>
> Your connection to this website is not encrypted."
>
> it has a larger eye icon, and says something like:
>
> "This web page was transferred over a non-secure connection, which means
> that the information could have been (was probably?!) intercepted and
> read by a third party while in transit."
>
> There are many degrees of this; let's start moving this way.
Thanks!
On Thu, Dec 18, 2014 at 9:52 AM, jstriegel via blink-devYes, I agree this is a problem. I am hoping to publish a proposal for
<blin...@chromium.org> wrote:
> I'd like to propose consideration of a fourth category:
> Personal Devices (home routers, printers, IoT, raspberry pis in classrooms, refrigerators):
> - cannot, by nature, participate in DNS and CA systems
> - likely on private network block
> - user is the owner of the service, hence can trust self rather than CA
>
> Suggested use:
> - IoT devices generate unique, self-signed cert
> - Friendlier interstitial (Ie. "Is this a device you recognize?") for self-signed connections on *.local, 192.168.*, 10.*, or on same local network as browser.
> - user approves use on first https connection
> - browser remembers (device is promoted to "secure" status)
>
> A lot of IoT use cases could benefit from direct connection (not requiring a cloud service as secure data proxy), but this currently gives the scariest of Chrome warnings. This is probably why the average home router or firewall is administered over http.
how UAs can authenticate private devices soon (in January probably).
A key goal is not having to ask the user "Is this a device you
recognize?" — I think we can get the UX flow even simpler, and still
be strong. Watch this space...
Hello Chris,
I support the goal of this project, but I'm not sure how we can get to a point where showing warning indicators makes sense. It seems that about 67% of pageviews on the Firefox beta channel are http, not https. How are Chrome's numbers?
http://telemetry.mozilla.org/#filter=beta%2F34%2FHTTP_PAGELOAD_IS_SSL&aggregates=multiselect-all!Submissions&evoOver=Builds&locked=true&sanitize=true&renderhistogram=Graph
Security warnings are often overused and therefore ignored [1]; it's even worse to provide a warning for something that's not actionable. I think we'd have to see very low plaintext rates (< 1%) in order not to habituate users into ignoring a plaintext warning indicator.
Lots of site operators don't support HTTPS, in fact some of them (e.g., https://nytimes.com and https://monica-at-mozilla.blogspot.com, which is out of my control) redirect to plaintext in order to avoid mixed content warnings. I don't think that user agents provided the right incentives in this case, and showing a warning 100% of the time to a NYTimes user seems like a losing battle.
Why not shift the onus from the user to the site operators? I would love to see a "wall of shame" for the Alexa top 1M sites that don't support HTTPS, redirect HTTPS to HTTP, and don't support HSTS. Perhaps search providers could use those to penalize rankings, as Google already does for non HTTPS sites. Efforts to make it cheap and easy to deploy HTTPS also need to advance.
Thanks,
Monica
[1] http://lorrie.cranor.org/pubs/sslwarnings.pdf
I support the goal of this project, but I'm not sure how we can get to a point where showing warning indicators makes sense. It seems that about 67% of pageviews on the Firefox beta channel are http, not https. How are Chrome's numbers?
http://telemetry.mozilla.org/#filter=beta%2F34%2FHTTP_PAGELOAD_IS_SSL&aggregates=multiselect-all!Submissions&evoOver=Builds&locked=true&sanitize=true&renderhistogram=Graph
Security warnings are often overused and therefore ignored [1]; it's even worse to provide a warning for something that's not actionable. I think we'd have to see very low plaintext rates (< 1%) in order not to habituate users into ignoring a plaintext warning indicator.
Lots of site operators don't support HTTPS, in fact some of them (e.g., https://nytimes.com and https://monica-at-mozilla.blogspot.com, which is out of my control) redirect to plaintext in order to avoid mixed content warnings. I don't think that user agents provided the right incentives in this case, and showing a warning 100% of the time to a NYTimes user seems like a losing battle.
Why not shift the onus from the user to the site operators? I would love to see a "wall of shame" for the Alexa top 1M sites that don't support HTTPS, redirect HTTPS to HTTP, and don't support HSTS. Perhaps search providers could use those to penalize rankings, as Google already does for non HTTPS sites. Efforts to make it cheap and easy to deploy HTTPS also need to advance.
Thanks,
Monica
[1] http://lorrie.cranor.org/pubs/sslwarnings.pdf
On Fri, Dec 12, 2014 at 4:46 PM, Chris Palmer <pal...@google.com> wrote:
Hi everyone,
Apologies to those of you who are about to get this more than once, due to
the cross-posting. I'd like to get feedback from a wide variety of people:
UA developers, web developers, and users. The canonical location for this
proposal is:
https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure.
ProposalThe goal of this proposal is to more clearly display to users that HTTP
We, the Chrome Security Team, propose that user agents (UAs) gradually
change their UX to display non-secure origins as affirmatively non-secure.
We intend to devise and begin deploying a transition plan for Chrome in
2015.
provides no data security.
Request
We’d like to hear everyone’s thoughts on this proposal, and to discuss with
the web community about how different transition plans might serve users.
Background
We all need data communication on the web to be secure (private,
authenticated, untampered). When there is no data security, the UA should
explicitly display that, so users can make informed decisions about how to
interact with an origin.-
Roughly speaking, there are three basic transport layer security states for
web origins:
-
Secure (valid HTTPS, other origins like (*, localhost, *));-
Dubious (valid HTTPS but with mixed passive resources, valid HTTPS with
minor TLS errors); and
Non-secure (broken HTTPS, HTTP).
For more precise definitions of secure and non-secure, see Requirements for
Powerful Features <http://www.w3.org/TR/powerful-features/> and Mixed
Content <http://www.w3.org/TR/mixed-content/>.
We know that active tampering and surveillance attacks, as well as passive
surveillance attacks, are not theoretical but are in fact commonplace on
the web.
RFC 7258: Pervasive Monitoring Is an Attack
<https://tools.ietf.org/html/rfc7258>
NSA uses Google cookies to pinpoint targets for hacking
<http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/10/nsa-uses-google-cookies-to-pinpoint-targets-for-hacking/>
Verizon’s ‘Perma-Cookie’ Is a Privacy-Killing Machine
<http://www.wired.com/2014/10/verizons-perma-cookie/>
How bad is it to replace adSense code id to ISP's adSense ID on free
Internet?
<http://stackoverflow.com/questions/25438910/how-bad-is-it-to-replace-adsense-code-id-to-isps-adsense-id-on-free-internet>
Comcast Wi-Fi serving self-promotional ads via JavaScript injection
<http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/>
Erosion of the moral authority of transparent middleboxes
<https://tools.ietf.org/html/draft-hildebrand-middlebox-erosion-01>
Transitioning The Web To HTTPS <https://w3ctag.github.io/web-https/>
We know that people do not generally perceive the absence of a warning sign.
(See e.g. The Emperor's New Security Indicators
<http://commerce.net/wp-content/uploads/2012/04/The%20Emperors_New_Security_Indicators.pdf>.)
Yet the only situation in which web browsers are guaranteed not to warn
users is precisely when there is no chance of security: when the origin is
transported via HTTP. Here are screenshots of the status quo for non-secure
domains in Chrome, Safari, Firefox, and Internet Explorer:
[image: Screen Shot 2014-12-11 at 5.08.48 PM.png]
[image: Screen Shot 2014-12-11 at 5.09.55 PM.png]
[image: Screen Shot 2014-12-11 at 5.11.04 PM.png]
[image: ie-non-secure.png]
Particulars
UA vendors who agree with this proposal should decide how best to phase in
the UX changes given the needs of their users and their product design
constraints. Generally, we suggest a phased approach to marking non-secure
origins as non-secure. For example, a UA vendor might decide that in the
medium term, they will represent non-secure origins in the same way that
they represent Dubious origins. Then, in the long term, the vendor might
decide to represent non-secure origins in the same way that they represent
Bad origins.
Ultimately, we can even imagine a long term in which secure origins are so
widely deployed that we can leave them unmarked (as HTTP is today), and
mark only the rare non-secure origins.
There are several ways vendors might decide to transition from one phase to
the next. For example, the transition plan could be time-based:
1.
T0 (now): Non-secure origins unmarked
2.
T1: Non-secure origins marked as Dubious
3.
T2: Non-secure origins marked as Non-secure
4.
T3: Secure origins unmarked
Or, vendors might set thresholds based on telemetry that measures the
ratios of user interaction with secure origins vs. non-secure. Consider
this strawman proposal:
1.
Secure > 65%: Non-secure origins marked as Dubious
2.
Secure > 75%: Non-secure origins marked as Non-secure
3.
Secure > 85%: Secure origins unmarked
The particular thresholds or transition dates are very much up for
discussion. Additionally, how to define “ratios of user interaction” is
also up for discussion; ideas include the ratio of secure to non-secure
page loads, the ratio of secure to non-secure resource loads, or the ratio
of total time spent interacting with secure vs. non-secure origins.
We’d love to hear what UA vendors, web developers, and users think. Thanks
for reading!
_______________________________________________
dev-security mailing list
dev-se...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
On Thu, Dec 18, 2014 at 12:12 PM, Monica Chew <m...@mozilla.com> wrote:Security warnings are often overused and therefore ignored [1]; it's even worse to provide a warning for something that's not actionable. I think we'd have to see very low plaintext rates (< 1%) in order not to habituate users into ignoring a plaintext warning indicator.
The context of the paper you cite is for a far more intrusive type of warning than anyone has proposed here. Interstitials or popups are very aggressive methods of warning that should only be used when something is almost certainly wrong, or else they indeed risk the "crying wolf" effect. Some sort of small passive indicator is a very different thing.
PK
On Thu, Dec 18, 2014 at 12:12 PM, Monica Chew <m...@mozilla.com> wrote:
> I support the goal of this project, but I'm not sure how we can get to aCurrently, roughly 58% of top-level navigations in Chrome are HTTPS.
> point where showing warning indicators makes sense. It seems that about 67%
> of pageviews on the Firefox beta channel are http, not https. How are
> Chrome's numbers?
(a) Users are currently habituated to treat non-secure transport as
> Security warnings are often overused and therefore ignored [1]; it's even
> worse to provide a warning for something that's not actionable. I think we'd
> have to see very low plaintext rates (< 1%) in order not to habituate users
> into ignoring a plaintext warning indicator.
OK. The status quo is terrible.
(b) What Peter Kasting said: we propose a passive indicator, not a
pop-up or interstitial.
Again, it's a passive indicator; and, the proposal is to *fix* what
> Lots of site operators don't support HTTPS, in fact some of them (e.g.,
> https://nytimes.com and https://monica-at-mozilla.blogspot.com, which is out
> of my control) redirect to plaintext in order to avoid mixed content
> warnings. I don't think that user agents provided the right incentives in
> this case, and showing a warning 100% of the time to a NYTimes user seems
> like a losing battle.
you seem to agree is the wrong incentive.
The NY Times in particular is committed to change and challenges other
news sites to move to HTTPS:
http://open.blogs.nytimes.com/2014/11/13/embracing-https/
This isn't about putting an onus on users, it's about allowing users
> Why not shift the onus from the user to the site operators?
to at least perceive the reality. And yes, that will put pressure on
some site operators. At the same time, the industry is working to make
HTTPS more usable. These efforts are complementary.
According to Gutmann, they are equally ignored by users. In the first
case, the user will click through the intrusive popup. In the second
case, they won't know what the icon means or they will ignore it.
Refer to Chapter 2 and Chapter 3 of his book.
In both cases, the browser should do the right thing for the user. In
a security context, that 's "defend, don't ask". Refer to Chapter 2 of
Gutmann's book.
case, the user will click through the intrusive popup. In the second
case, they won't know what the icon means or they will ignore it.
Refer to Chapter 2 and Chapter 3 of his book.
In both cases, the browser should do the right thing for the user. In
a security context, that 's "defend, don't ask". Refer to Chapter 2 of
Gutmann's book.
On Thu, Dec 18, 2014 at 12:27 PM, 'Chris Palmer' via Security-dev <securi...@chromium.org> wrote:On Thu, Dec 18, 2014 at 12:12 PM, Monica Chew <m...@mozilla.com> wrote:
> I support the goal of this project, but I'm not sure how we can get to a
> point where showing warning indicators makes sense. It seems that about 67%
> of pageviews on the Firefox beta channel are http, not https. How are
> Chrome's numbers?
Currently, roughly 58% of top-level navigations in Chrome are HTTPS.
I'm curious about the difference between the two browsers. My guess is that we're treating same-origin navigations differently, particularly fragment changes. Monica, is Firefox collapsing all same-origin navigations into a single histogram entry? Given that people spend a lot of time on a small number of popular (and HTTPS) sites, it would account for the different stats.
> Security warnings are often overused and therefore ignored [1]; it's even
> worse to provide a warning for something that's not actionable. I think we'd
> have to see very low plaintext rates (< 1%) in order not to habituate users
> into ignoring a plaintext warning indicator.
(a) Users are currently habituated to treat non-secure transport as
OK. The status quo is terrible.
I originally shared Monica's reservations --- I don't want to add another indicator that people will learn to ignore. But people are already ignoring http because we show no indicator at all, so in the worst case we will end up in the same place (but at least we will be consistent with how we label schemes).
(b) What Peter Kasting said: we propose a passive indicator, not a
pop-up or interstitial.
> Lots of site operators don't support HTTPS, in fact some of them (e.g.,
> https://nytimes.com and https://monica-at-mozilla.blogspot.com, which is out
> of my control) redirect to plaintext in order to avoid mixed content
> warnings. I don't think that user agents provided the right incentives in
> this case, and showing a warning 100% of the time to a NYTimes user seems
> like a losing battle.
Again, it's a passive indicator; and, the proposal is to *fix* what
you seem to agree is the wrong incentive.
The NY Times in particular is committed to change and challenges other
news sites to move to HTTPS:
http://open.blogs.nytimes.com/2014/11/13/embracing-https/
> Why not shift the onus from the user to the site operators?
This isn't about putting an onus on users, it's about allowing users
to at least perceive the reality. And yes, that will put pressure on
some site operators. At the same time, the industry is working to make
HTTPS more usable. These efforts are complementary.
On Thu, Dec 18, 2014 at 12:27 PM, Chris Palmer <pal...@google.com> wrote:
On Thu, Dec 18, 2014 at 12:12 PM, Monica Chew <m...@mozilla.com> wrote:
> I support the goal of this project, but I'm not sure how we can get to a
> point where showing warning indicators makes sense. It seems that about 67%
> of pageviews on the Firefox beta channel are http, not https. How are
> Chrome's numbers?
Currently, roughly 58% of top-level navigations in Chrome are HTTPS.
Thanks for the numbers. That's a significant gap (58% vs 33%). Do you have any idea why this might be the case?
> Security warnings are often overused and therefore ignored [1]; it's even
> worse to provide a warning for something that's not actionable. I think we'd
> have to see very low plaintext rates (< 1%) in order not to habituate users
> into ignoring a plaintext warning indicator.
(a) Users are currently habituated to treat non-secure transport as
OK. The status quo is terrible.
(b) What Peter Kasting said: we propose a passive indicator, not a
pop-up or interstitial.
I understand the desire here, but a passive indicator is not going to change the status quo if it's shown 42% of the time (or 67% of the time, in Firefox's case). Other passive indicators (e.g., Prop 65 warnings if you live in California, or compiler warnings that aren't failures) haven't succeeded in changing the status quo. Again, what's the action that typical users are going to take when they see a passive indicator?
Thanks,
Monica
Thanks,
Monica
I'm curious about the difference between the two browsers. My guess is that we're treating same-origin navigations differently, particularly fragment changes. Monica, is Firefox collapsing all same-origin navigations into a single histogram entry? Given that people spend a lot of time on a small number of popular (and HTTPS) sites, it would account for the different stats.
I don't think so.. This histogram is updated at https://mxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/nsHttpChannel.cpp#1385.
Thanks,
Monica
On Thu, Dec 18, 2014 at 1:18 PM, Monica Chew <m...@mozilla.com> wrote:I understand the desire here, but a passive indicator is not going to change the status quo if it's shown 42% of the time (or 67% of the time, in Firefox's case).
Which is presumably why the key question this thread asked is what metrics to use to decide it makes sense to start showing these warnings, and what the thresholds should be.
PK
OK. I think the thresholds should be < 5%, preferably < 1%. What do you think they should be?
Also I was wrong about collapsing fragment navigation, and that probably explains the difference between FF and Chrome.
Thanks,
Monica
On Thu, Dec 18, 2014 at 1:18 PM, Monica Chew <m...@mozilla.com> wrote:I don't, unfortunately.
> Thanks for the numbers. That's a significant gap (58% vs 33%). Do you have
> any idea why this might be the case?
I think we (Chrome) are going to try measuring HTTPS vs. HTTP
deployment in other ways too, and then we might see discrepancies.
That's part of why we plan to gate the change on increasing HTTPS
> I understand the desire here, but a passive indicator is not going to change
> the status quo if it's shown 42% of the time (or 67% of the time, in
> Firefox's case).
adoption. Gervase liked that idea, too.
Citation needed...?
> Other passive indicators (e.g., Prop 65 warnings if you
> live in California, or compiler warnings that aren't failures) haven't
> succeeded in changing the status quo.
(If you're arguing that we should all compile with -Werror, I'll
surely agree with you. Chrome does. But I assume you did not mean to
suggest we should do the equivalent for HTTP navigation, at least not
yet...)
First, keep in mind that you can't argue that showing the passive
> Again, what's the action that typical
> users are going to take when they see a passive indicator?
indicator will be both ignored and crying wolf. It's one or the other.
Which argument are you making?
That said,
* Those few users who do look at it will at least be able to discern
the truth. Currently, they cannot.
* Site operators are likely to discern the truth, and may be motivated
to deploy HTTPS, if they feel that their user base might demand it.
(Complementarily, as site operators seek to use more powerful,
app-like features like Service Workers, they will increasingly deploy
HTTPS because they have to.)
* As we make the web more powerful and more app-like, we (Chrome) seek
to join the "what powerful permissions does this origin have?" views
and controls with the "by the way, how authentic is this origin?"
view. (See attached Chrome screenshot, showing that they are already
significantly merged. In my other window I am working on a patch to
make this easier to use.) As users become increasingly aware of these
controls, they may become increasingly aware of the authenticity
marking. And then they may make decisions about granting permissions
differently, or at least with more information. Basically, "how real
and how powerful is this origin" is gradually becoming a first-class
UX piece.
But, fundamentally, we owe it to users to tell the truth. I don't see
that the status quo is defensible.
On Thu, Dec 18, 2014 at 1:41 PM, Monica Chew <m...@mozilla.com> wrote:On Thu, Dec 18, 2014 at 1:34 PM, Peter Kasting <pkas...@google.com> wrote:On Thu, Dec 18, 2014 at 1:18 PM, Monica Chew <m...@mozilla.com> wrote:I understand the desire here, but a passive indicator is not going to change the status quo if it's shown 42% of the time (or 67% of the time, in Firefox's case).Which is presumably why the key question this thread asked is what metrics to use to decide it makes sense to start showing these warnings, and what the thresholds should be.OK. I think the thresholds should be < 5%, preferably < 1%. What do you think they should be?
I have no opinion. I'm simply trying to keep the discussion on track.
PK
Sigh. Re-posting this, because the Mozilla list doesn't like large attachments.
To see the equivalent, go to https://www.google.com and click on the
green lock in the Omnibox.
To see the equivalent, go to https://www.google.com and click on the
green lock in the Omnibox.
On 12/18/2014 12:14 PM, Gervase Markham wrote:I like this change.
> I wonder whether we could make a start by marking non-secure origins in
> a neutral way, as a step forward from not marking them at all. Straw-man
> proposal for Firefox: replace the current greyed-out globe which appears
> where the lock otherwise is with a black eye icon. When clicked, instead
> of saying:
>
> "This website does not supply identity information.
>
> Your connection to this website is not encrypted."
>
> it has a larger eye icon, and says something like:
>
> "This web page was transferred over a non-secure connection, which means
> that the information could have been (was probably?!) intercepted and
> read by a third party while in transit."
Four proposed fine-tunings:
A) i don't think we should remove "This website does not supply
identity information" -- but maybe replace it with "The identity of this
site is unconfirmed" or "The true identity of this site is unknown"
B) snooping isn't the only issue -- modification is as well. Maybe the
updated statement can mention that the web page could have been modified
in transit as well.
C) if there was a way to ensure that the user knows we're talking about
the data they sent as well as the data they're looking at that would be
good too.
D) "a third party" is both legalistic and singular. there could be
multiple parties tapping the line. what about just "others"?
Here's my attempt at resolving these, fwiw:
-------
The true identity of this site is unknown.
that the page and any information you sent to it could have been read or
This web page was transferred over a non-secure connection, which means
modified by others while in transit.
-------
--dkg
On Thu, Dec 18, 2014 at 5:10 PM, Daniel Kahn Gillmor
<d...@fifthhorseman.net> wrote:
> ...
of them lead to a false sense of security.
Given the degree to which standard bodies accommodate (promote?)
interception, UA's should probably steer clear of making any
statements like that if accuracy is a goal.
<d...@fifthhorseman.net> wrote:
> ...
> Four proposed fine-tunings:None of them are correct when an interception proxy is involved. All
>
> A) i don't think we should remove "This website does not supply
> identity information" -- but maybe replace it with "The identity of this
> site is unconfirmed" or "The true identity of this site is unknown"
of them lead to a false sense of security.
Given the degree to which standard bodies accommodate (promote?)
interception, UA's should probably steer clear of making any
statements like that if accuracy is a goal.
On Thu, Dec 18, 2014 at 2:22 PM, Jeffrey Walton <nolo...@gmail.com> wrote:Are you talking about if an intercepting proxy is intercepting HTTP
>> A) i don't think we should remove "This website does not supply
>> identity information" -- but maybe replace it with "The identity of this
>> site is unconfirmed" or "The true identity of this site is unknown"
>
> None of them are correct when an interception proxy is involved. All
> of them lead to a false sense of security.
>
> Given the degree to which standard bodies accommodate (promote?)
> interception, UA's should probably steer clear of making any
> statements like that if accuracy is a goal.
traffic, or HTTPS traffic?
A MITM needs a certificate issued for the proxied hostname, that is
signed by an issuer the client trusts. Some attackers can achieve
that, but it's not trivial.
No it doesn't need a certificate. A MITM can be executed through a
compromised or rogue router. It's simple enough to set up a public
network in well-known wifi hotspots and attract unwitting users. Then
the HTTPS doesn't protect anyone's transmission from anything as the
router forms the other end of the secure connection and initiates its
own secure connection with the user's intended destination (either the
site they are trying to get to or whatever site the bad guys want them
to visit).
Google, Apple, and other large tech companies learned the hard way this
year that their use of HTTPS failed to protect users from MITM attacks.
--
Michael Martinez
http://www.michael-martinez.com/
YOU CAN HELP OUR WOUNDED WARRIORS
http://www.woundedwarriorproject.org/
compromised or rogue router. It's simple enough to set up a public
network in well-known wifi hotspots and attract unwitting users. Then
the HTTPS doesn't protect anyone's transmission from anything as the
router forms the other end of the secure connection and initiates its
own secure connection with the user's intended destination (either the
site they are trying to get to or whatever site the bad guys want them
to visit).
Google, Apple, and other large tech companies learned the hard way this
year that their use of HTTPS failed to protect users from MITM attacks.
--
Michael Martinez
http://www.michael-martinez.com/
YOU CAN HELP OUR WOUNDED WARRIORS
http://www.woundedwarriorproject.org/
I'm sorry, this isn't how HTTPS works and isn't accurate, unless you have explicitly installed the routers cert as a CA cert. If you have, then you're not really an unwitting user (and it is quite hard to do this).
Of course, everything you said is true for insecure HTTP. Which is why this proposal is about reflecting that truth to the user.
On 12/18/2014 05:55 PM, Michael Martinez wrote:It sounds like you're saying that browsers don't verify the X.509
> No it doesn't need a certificate. A MITM can be executed through a
> compromised or rogue router. It's simple enough to set up a public
> network in well-known wifi hotspots and attract unwitting users. Then
> the HTTPS doesn't protect anyone's transmission from anything as the
> router forms the other end of the secure connection and initiates its
> own secure connection with the user's intended destination (either the
> site they are trying to get to or whatever site the bad guys want them
> to visit).
certificate presented by the https origin server, or at least that they
don't verify that the hostname matches.
This is a serious and extraordinary claim. Please provide evidence for it.
--dkg
On 12/18/2014 6:04 PM, Ryan Sleevi wrote:
On Dec 18, 2014 2:55 PM, "Michael Martinez" <michael...@xenite.org> wrote:
>
> On 12/18/2014 5:29 PM, Chris Palmer wrote:
>>
>> On Thu, Dec 18, 2014 at 2:22 PM, Jeffrey Walton <nolo...@gmail.com> wrote:
>>
>>>> A) i don't think we should remove "This website does not supply
>>>> identity information" -- but maybe replace it with "The identity of this
>>>> site is unconfirmed" or "The true identity of this site is unknown"
>>>
>>> None of them are correct when an interception proxy is involved. All
>>> of them lead to a false sense of security.
>>>
>>> Given the degree to which standard bodies accommodate (promote?)
>>> interception, UA's should probably steer clear of making any
>>> statements like that if accuracy is a goal.
>>
>> Are you talking about if an intercepting proxy is intercepting HTTP
>> traffic, or HTTPS traffic?
>>
>> A MITM needs a certificate issued for the proxied hostname, that is
>> signed by an issuer the client trusts. Some attackers can achieve
>> that, but it's not trivial.
>
>
> No it doesn't need a certificate. A MITM can be executed through a compromised or rogue router. It's simple enough to set up a public network in well-known wifi hotspots and attract unwitting users. Then the HTTPS doesn't protect anyone's transmission from anything as the router forms the other end of the secure connection and initiates its own secure connection with the user's intended destination (either the site they are trying to get to or whatever site the bad guys want them to visit).
>
> Google, Apple, and other large tech companies learned the hard way this year that their use of HTTPS failed to protect users from MITM attacks.
>I'm sorry, this isn't how HTTPS works and isn't accurate, unless you have explicitly installed the routers cert as a CA cert. If you have, then you're not really an unwitting user (and it is quite hard to do this).
You're assuming people don't connect to open wifi hotspots where rogue routers can be set up by anyone. If thieves are willing to build fake ATM machines and distribute them to shopping centers across a large geographical area then they will certainly go to the same lengths to distribute rogue routers. Furthermore, at least two research teams have shown earlier this year that wireless routers can be compromised with virus-like software; when these vulnerabilities are exploited it won't matter if the router has a valid certificate.
On top of that University of Birmingham researchers also found that inappropriately built apps for iOS and Android can leave users' security credentials vulnerable to sniffing.
You people are putting your faith in a defense that has already been compromised in many ways. The distributed nature of the network of access points virtually assures that MITM attacks will continue to bypass HTTPS security. The manner of warnings you place on Websites with apparently invalid certificates is rendered moot.
Of course, everything you said is true for insecure HTTP. Which is why this proposal is about reflecting that truth to the user.
-- Michael Martinez http://www.michael-martinez.com/ YOU CAN HELP OUR WOUNDED WARRIORS http://www.woundedwarriorproject.org/
No, what I am saying is that you can bypass the certificate for a MITM
attack via a new technique that was published earlier this year. If you
compromise someone else's router you can control it from your own nearby
router. The compromised router with the valid certificate sends the
user through whatever gateway you specify.
What makes the access points most vulnerable to attack is the human
factor. Someone has to monitor the system for breaches and how often
does that happen? It will vary by company and community, depending on
how well they budget for competent security techs. And how often are
these routers replaced with newer models? Look at what happened with
the ISPs earlier this year who had to replace all their routers because
they ran out of pathway memory. Even the "big guys" who are supposed to
think about this stuff all the time allow their equipment to depreciate
off the books or grow old until it's obsolete.
Meanwhile, you're trying to plug holes in a sieve with HTTPS and browser
warnings.
attack via a new technique that was published earlier this year. If you
compromise someone else's router you can control it from your own nearby
router. The compromised router with the valid certificate sends the
user through whatever gateway you specify.
What makes the access points most vulnerable to attack is the human
factor. Someone has to monitor the system for breaches and how often
does that happen? It will vary by company and community, depending on
how well they budget for competent security techs. And how often are
these routers replaced with newer models? Look at what happened with
the ISPs earlier this year who had to replace all their routers because
they ran out of pathway memory. Even the "big guys" who are supposed to
think about this stuff all the time allow their equipment to depreciate
off the books or grow old until it's obsolete.
Meanwhile, you're trying to plug holes in a sieve with HTTPS and browser
warnings.
On Thu, Dec 18, 2014 at 3:39 PM, Michael MartinezIndeed, there are many rogue wifi hotspots, and indeed many rogue
<michael...@xenite.org> wrote:
> You're assuming people don't connect to open wifi hotspots where rogue
> routers can be set up by anyone. If thieves are willing to build fake ATM
> machines and distribute them to shopping centers across a large geographical
> area then they will certainly go to the same lengths to distribute rogue
> routers.
routers at ISPs (it's definitely not just "last mile" routing that we
need to be concerned about).
The part you're missing is that the man-in-the-middle attacker needs
to present a certificate for the server, say mail.google.com, that was
issued by a certification authority *that the client trusts*. Not just
any certificate for mail.google.com will do.
Now, this is not an insurmountable obstacle to the attacker. But it is
non-trivial: the CAs that clients trust are trying hard not to
mis-issue certificates. And, we are working to make it even more
difficult for attackers, such as with our Certificate Transparency and
public key pinning efforts.
Before arguing against HTTPS, you should make sure you know how it works.
I would encourage you try to mount the attack you describe (only
against your own computers, of course!). I think you will find that
you won't get very far without a valid certificate issued by a
well-known CA.
On 12/18/2014 6:49 PM, Chris Palmer wrote:No, see my other reply for why that is no longer true. The point here
> On Thu, Dec 18, 2014 at 3:39 PM, Michael Martinez
> <michael...@xenite.org> wrote:
>
>> You're assuming people don't connect to open wifi hotspots where rogue
>> routers can be set up by anyone. If thieves are willing to build fake ATM
>> machines and distribute them to shopping centers across a large geographical
>> area then they will certainly go to the same lengths to distribute rogue
>> routers.
> Indeed, there are many rogue wifi hotspots, and indeed many rogue
> routers at ISPs (it's definitely not just "last mile" routing that we
> need to be concerned about).
>
> The part you're missing is that the man-in-the-middle attacker needs
> to present a certificate for the server, say mail.google.com, that was
> issued by a certification authority *that the client trusts*. Not just
> any certificate for mail.google.com will do.
is that coercing the Web into changing over to HTTPS is equivalent to
forcing everyone to replace their cell phones with land lines. You're
trying to fix a technology that has been rendered obsolete by exploits
that were never anticipated in the original design.
Before arguing FOR HTTPS you need to make sure you know about all the
> Now, this is not an insurmountable obstacle to the attacker. But it is
> non-trivial: the CAs that clients trust are trying hard not to
> mis-issue certificates. And, we are working to make it even more
> difficult for attackers, such as with our Certificate Transparency and
> public key pinning efforts.
>
> Before arguing against HTTPS, you should make sure you know how it works.
latest exploits that render it useless.
I encourage you to spend more time doing research in this area and less
time repeating lectures that are outdated. HTTPS really doesn't
accomplish anything in the long run anyway. All the user data you're
encrypting eventually becomes vulnerable to hacking on the server side.
Sure, that data could be encrypted over there (and should be) but it's not.
So you're standing guard at the front door and the thieves are breaking
into the house through the windows. Meanwhile you're creating a bad
user experience with all these warnings and road-blocks to perfectly
legitimate Websites, burdening the system with extra processing cycles,
and not preventing massive MITM attacks from making the news every 1-2
months.
Your time and effort would be better spent improving the browser
experience.
On 12/18/2014 06:46 PM, Michael Martinez wrote:Links, please.
> No, what I am saying is that you can bypass the certificate for a MITM
> attack via a new technique that was published earlier this year.
You seem to be saying now that the attacker does need a valid
> If you
> compromise someone else's router you can control it from your own nearby
> router. The compromised router with the valid certificate sends the
> user through whatever gateway you specify.
certificate; earlier you claimed no certificate was needed.
I'm sure everyone agrees that the dominant X.509 certificate issuance
process and auditability can be improved, but it's not trivial to get a
fake cert automatically.
The fact that HTTPS is not 100% perfect does not mean that HTTP is
somehow secure.
You sound very concerned about MITM attacks. I am too.
Compared to HTTPS, HTTP is *trivially* vulnerable to MITM attacks.
Shouldn't we visibly mark HTTP connections as insecure?
--dkg
On Thu, Dec 18, 2014 at 3:46 PM, Michael Martinez <michael...@xenite.org> wrote:No, what I am saying is that you can bypass the certificate for a MITM attack via a new technique that was published earlier this year.
Citation needed.
Earlier this year, you made these two G+ posts suggesting HTTPS is broken:
Google, the great champion of HTTPS/SSL, cannot prevent yet more man-in-the-middle attacks against its users: http://www.theregister.co.uk/2014/11/21/hackers_snaffling_smartphone_secrets_with_redirection_attack/
If your company is serious about using HTTPS it has to do it right (not that it will matter, but don't throw your money away on bad implementation). http://www.darkreading.com/endpoint/the-week-when-attackers-started-winning-the-war-on-trust-/a/d-id/1317657
The first link is about an ARP-poisoning man-in-the-middle attack that has nothing to do with HTTPS/SSL, the article doesn't mention "HTTPS" or "SSL", and in fact the attack would have been *prevented* by HTTPS/SSL.
The second link is about how mismanaging your web server can compromise HTTPS's added security benefits (e.g., using long-unsupported MD5 certificates or revealing your SSL secret key). That's true, but misleading: the risks are no more severe than if you mismanage an HTTP-only server.
You seem to be arguing that people shouldn't be encouraged to lock their doors when leaving because sometimes they forget to lock their windows. But actually we need to encourage people to do *both*.
On 12/18/2014 6:57 PM, Daniel Kahn Gillmor wrote:I'm not going to sit here and do the research that you should already be
> On 12/18/2014 06:46 PM, Michael Martinez wrote:
>> No, what I am saying is that you can bypass the certificate for a MITM
>> attack via a new technique that was published earlier this year.
> Links, please.
doing for yourself, but here is one link that explains how some smart
phone apps were compromised. It's disturbing to see that people working
on security protocols are not aware of articles that have appeared on
security blogs, in news media, and on university Websites.
A Study of SSL Proxy Attacks on Android and iOS Mobile Applications
http://harvey.binghamton.edu/~ychen/CCNC2014_SSL_Attacks.pdf
This is only one example.
>If you compromise a legitimate router you just hide behind the
>> If you
>> compromise someone else's router you can control it from your own nearby
>> router. The compromised router with the valid certificate sends the
>> user through whatever gateway you specify.
> You seem to be saying now that the attacker does need a valid
> certificate; earlier you claimed no certificate was needed.
legitimate router and send people wherever you want. What's one or two
more hops even if you're only passing them through a gateway they know
nothing about? One recent study followed traffic on compromised routers
that did nothing. The researchers suggested that it may have been an
early stage botnet either in testing or buildout.
> The fact that HTTPS is not 100% perfect does not mean that HTTP isHTTP doesn't need to be secure. Explain to me why I should have to have
> somehow secure.
connect to an HTTPS server just to read the news or a blog? If I am not
passing any information to the Website, why does it have to be hosted on
HTTPS? That is not trivial for the average Webmaster.
I'm not just concerned about HTTPS attacks. I'm also concerned about
wasted effort being spent on unnecessary security because of Google's
fear-mongering. I get why they are doing this. They were hurt in the
public image by the Edward Snowden scandal. But they sure don't mind
telling everyone they have no reasonable expectation of privacy when
their services are involved.
BTW -- as you do your due diligence in these matters, look also for
information on how YouTube videos can be used to compromise users'
computers. Gosh, that's an HTTPS Website, isn't it? I feel safer already.
Complexity that serves no useful purpose represents no improvement on
the status quo. Google and those who stand with it on these "privacy"
issues need to make a much better case for coercing millions of Websites
into using HTTPS.
Browser developers do not need to participate in this public shaming game.
I will leave off on this discussion at this point as it is clear to me I
am better informed about what is happening than some, and I really am
not going to be drawn into to sharing link after link in order to play a
stalling game.
Some of you guys have already made up your minds on this without doing
proper research. But you clearly haven't stopped to think about what a
burden you will create for millions of Website owners who have no idea
of how to support this insane initiative. And that will just make them
more dependent on self-serving solution providers like Google.
Don't do this. Please do NOT screw up the web with this nonsense.
A skim of this shows that this is about mobile apps not correctly verifying TLS and has nothing to do with whether TLS as a protocol is broken. Probably you should learn how TLS actually works and read the papers you are linking before making extraordinary claims.
> On Dec 18, 2014, at 7:08 PM, Michael Martinez <michael...@xenite.org> wrote:
>
> On 12/18/2014 6:57 PM, Daniel Kahn Gillmor wrote:
>> On 12/18/2014 06:46 PM, Michael Martinez wrote:
>>> No, what I am saying is that you can bypass the certificate for a MITM
>>> attack via a new technique that was published earlier this year.
>> Links, please.
> I'm not going to sit here and do the research that you should already be doing for yourself, but here is one link that explains how some smart phone apps were compromised. It's disturbing to see that people working on security protocols are not aware of articles that have appeared on security blogs, in news media, and on university Websites.
>
> A Study of SSL Proxy Attacks on Android and iOS Mobile Applications
> http://harvey.binghamton.edu/~ychen/CCNC2014_SSL_Attacks.pdf
>
> This is only one example.
---
>>
>>> If you
>>> compromise someone else's router you can control it from your own nearby
>>> router. The compromised router with the valid certificate sends the
>>> user through whatever gateway you specify.
>> You seem to be saying now that the attacker does need a valid
>> certificate; earlier you claimed no certificate was needed.
> If you compromise a legitimate router you just hide behind the legitimate router and send people wherever you want. What's one or two more hops even if you're only passing them through a gateway they know nothing about? One recent study followed traffic on compromised routers that did nothing. The researchers suggested that it may have been an early stage botnet either in testing or buildout.
>> The fact that HTTPS is not 100% perfect does not mean that HTTP is
>> somehow secure.
> HTTP doesn't need to be secure. Explain to me why I should have to have connect to an HTTPS server just to read the news or a blog? If I am not passing any information to the Website, why does it have to be hosted on HTTPS? That is not trivial for the average Webmaster.
>
> I'm not just concerned about HTTPS attacks. I'm also concerned about wasted effort being spent on unnecessary security because of Google's fear-mongering. I get why they are doing this. They were hurt in the public image by the Edward Snowden scandal. But they sure don't mind telling everyone they have no reasonable expectation of privacy when their services are involved.
>
> BTW -- as you do your due diligence in these matters, look also for information on how YouTube videos can be used to compromise users' computers. Gosh, that's an HTTPS Website, isn't it? I feel safer already.
>
> Complexity that serves no useful purpose represents no improvement on the status quo. Google and those who stand with it on these "privacy" issues need to make a much better case for coercing millions of Websites into using HTTPS.
>
> Browser developers do not need to participate in this public shaming game.
>
> I will leave off on this discussion at this point as it is clear to me I am better informed about what is happening than some, and I really am not going to be drawn into to sharing link after link in order to play a stalling game.
>
> Some of you guys have already made up your minds on this without doing proper research. But you clearly haven't stopped to think about what a burden you will create for millions of Website owners who have no idea of how to support this insane initiative. And that will just make them more dependent on self-serving solution providers like Google.
>
> Don't do this. Please do NOT screw up the web with this nonsense.
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
On Thu, Dec 18, 2014 at 4:08 PM, Michael MartinezThat paper describes bugs in the certificate validation procedures *of
<michael...@xenite.org> wrote:
> A Study of SSL Proxy Attacks on Android and iOS Mobile Applications
> http://harvey.binghamton.edu/~ychen/CCNC2014_SSL_Attacks.pdf
specific clients*. (Note that the authors call out the fact that the
clients in question are *not* browsers.)
That doesn't mean the protocol is fundamentally flawed; it means those
particular non-browser clients have bugs.
If you can find such a bug in Chrome (or Firefox, or other browser),
you should report the flaw to the vendor. Google offers money in
reward for such findings:
https://www.google.com/about/appsecurity/chrome-rewards/index.html
If you can find one, we would consider such a finding to be a high-priority bug.
The first article describes a Double Direct attack, which is an alternative to ARP poisoning. HTTPS won't defend against the Double Direct method.On 12/18/2014 7:02 PM, Matthew Dempsky wrote:
On Thu, Dec 18, 2014 at 3:46 PM, Michael Martinez <michael...@xenite.org> wrote:No, what I am saying is that you can bypass the certificate for a MITM attack via a new technique that was published earlier this year.
Citation needed.
Earlier this year, you made these two G+ posts suggesting HTTPS is broken:
Google, the great champion of HTTPS/SSL, cannot prevent yet more man-in-the-middle attacks against its users: http://www.theregister.co.uk/2014/11/21/hackers_snaffling_smartphone_secrets_with_redirection_attack/If your company is serious about using HTTPS it has to do it right (not that it will matter, but don't throw your money away on bad implementation). http://www.darkreading.com/endpoint/the-week-when-attackers-started-winning-the-war-on-trust-/a/d-id/1317657
The first link is about an ARP-poisoning man-in-the-middle attack that has nothing to do with HTTPS/SSL, the article doesn't mention "HTTPS" or "SSL", and in fact the attack would have been *prevented* by HTTPS/SSL.
The second article covers several issues (not simply "mismanaging your web server"):
The second link is about how mismanaging your web server can compromise HTTPS's added security benefits (e.g., using long-unsupported MD5 certificates or revealing your SSL secret key). That's true, but misleading: the risks are no more severe than if you mismanage an HTTP-only server.
1) Misused digital certificates
2) All keys and certificates have to be changed to fix Heartbleed issues
3) A malware Trojan for iOS was discovered compromising keys and certificates
4) The MD5 attack you mention
The Web runs on the lowest common denominator, not on the expectations of people who require that everything be perfectly executed and blame others for failure to execute. The core of Google's proposal is that browsers should be modified to (at first) passively tell users that Websites are not using HTTPS. The significance of HTTPS is lost on most people but they will certainly become alarmed if the klaxons are sounded. Worse yet, most Websites don't collect user data or exchange private information, so why should they be forced to take on the burden of adding security that won't even be used?
No, we need to encourage the people building the tools we use to browse the Web to think about the implications of their assumptions. You're going to ostracize innocent Websites for doing nothing to harm users' privacy and security because Google said JUMP! and you jumped.
You seem to be arguing that people shouldn't be encouraged to lock their doors when leaving because sometimes they forget to lock their windows. But actually we need to encourage people to do *both*.
-- Michael Martinez http://www.michael-martinez.com/ YOU CAN HELP OUR WOUNDED WARRIORS http://www.woundedwarriorproject.org/
On 12/18/2014 7:14 PM, Donald Stufft wrote:This is not about how TLS works. This is about whether Google's
> I'm not going to sit here and do the research that you should already be doing for yourself, but here is one link that explains how some smart phone apps were compromised. It's disturbing to see that people working on security protocols are not aware of articles that have appeared on security blogs, in news media, and on university Websites.
>
> A Study of SSL Proxy Attacks on Android and iOS Mobile Applications
> http://harvey.binghamton.edu/~ychen/CCNC2014_SSL_Attacks.pdf
>
> This is only one example.
> A skim of this shows that this is about mobile apps not correctly verifying TLS and has nothing to do with whether TLS as a protocol is broken. Probably you should learn how TLS actually works and read the papers you are linking before making extraordinary claims.
proposal to convert the entire Web into using HTTPS protocol is going to
magically protect users' privacy against compromise. The bad guys are
looking for vulnerabilities in everything and they are finding those
vulnerabilities. They don't have to crack TLS. They only have to
bypass it.
The details of the security protocols are only one part of the picture.
It doesn't matter if one part of the system works as expected if other
parts are not. Google is trying to force everyone to use TLS when it
can still be bypassed. That is not a good approach because it creates
burdens for millions of websites that have no benefit for anyone,
visitors or site owners. Only the companies that sell security features
will benefit.
On 12/18/2014 7:17 PM, Chris Palmer wrote:Agreed. The paper only looks at mobile apps, of which only some were
> On Thu, Dec 18, 2014 at 4:08 PM, Michael Martinez
> <michael...@xenite.org> wrote:
>
>> A Study of SSL Proxy Attacks on Android and iOS Mobile Applications
>> http://harvey.binghamton.edu/~ychen/CCNC2014_SSL_Attacks.pdf
> That paper describes bugs in the certificate validation procedures *of
> specific clients*. (Note that the authors call out the fact that the
> clients in question are *not* browsers.)
found to be compromised. But those of you responding with objections
are completely missing the point. Google wants everyone to switch over
to using secure protocols and the execution will not only never be
perfect, the hackers already have sufficient information about how the
SYSTEM works that they are seeking other ways to bypass the security.
All they have to do is insert a rogue proxy somewhere in the middle, and
they can do that in a lot of different ways.
If the browser detects a problem with the certificate, great, the user
gets a warning (and about half of all users ignore them according to
some research). On the other hand, when the legitimate
certficate-serving resources are compromised, then what?
Google proposes that everyone use HTTPS, even when they are not
collecting data from end-users. This will only result in more Websites
being improperly flagged for poor execution. And how does that protect
anyone from what is actually being done to steal user data at the access
point?
We don't need to find bugs in Chrome to ask why it's necessary to force
everyone to use HTTPS. What we need is a valid argument for why
everyone should do that.
Access point security is not all about who is sniffing unsecure
connections, so forcing us to use only secure connections on the pretext
that it makes us all safer just doesn't work as an argument in favor of
Google's proposal.
You’re missing a step here, “All they have to do is insert a rogue proxy somewhere in the middle AND either get a certificate incorrectly issued to them (really hard to do) or the client software in question needs to not properly implement TLS. In this as far as anyone is currently aware Chrome (and Mozilla, and all the major browsers) are currently implementing TLS correctly so unless someone finds a bug there (which would be promptly fixed) and the CA vendors are not currently mis-issuing certificates.
> On Dec 18, 2014, at 7:44 PM, Michael Martinez <michael...@xenite.org> wrote:
>
> On 12/18/2014 7:17 PM, Chris Palmer wrote:
>> On Thu, Dec 18, 2014 at 4:08 PM, Michael Martinez
>> <michael...@xenite.org> wrote:
>>
>>> A Study of SSL Proxy Attacks on Android and iOS Mobile Applications
>>> http://harvey.binghamton.edu/~ychen/CCNC2014_SSL_Attacks.pdf
>> That paper describes bugs in the certificate validation procedures *of
>> specific clients*. (Note that the authors call out the fact that the
>> clients in question are *not* browsers.)
>
> Agreed. The paper only looks at mobile apps, of which only some were found to be compromised. But those of you responding with objections are completely missing the point. Google wants everyone to switch over to using secure protocols and the execution will not only never be perfect, the hackers already have sufficient information about how the SYSTEM works that they are seeking other ways to bypass the security. All they have to do is insert a rogue proxy somewhere in the middle, and they can do that in a lot of different ways.
I think that attempting to hold up improvements to one link in the chain under the guise that unless they can secure every link in the chain is boorish behavior.
>
> If the browser detects a problem with the certificate, great, the user gets a warning (and about half of all users ignore them according to some research). On the other hand, when the legitimate certficate-serving resources are compromised, then what?
User data that a website collects isn’t the only purpose of TLS. What articles someone reads on a news site can also be personal information that people do not wish to have given out to anyone who is on the same coffee shop WIFI as they are. TLS also provides more than just privacy, it also provides integrity checks. This prevents people from modifying a blog post that includes instructions for installing some software and replacing them with instructions that actually install something malicious.
>
> Google proposes that everyone use HTTPS, even when they are not collecting data from end-users. This will only result in more Websites being improperly flagged for poor execution. And how does that protect anyone from what is actually being done to steal user data at the access point?
Indicating that the connection isn’t secure isn’t forcing everyone to use HTTPS. Disabling HTTP access altogether would do that, but nobody is suggesting that. All this proposal really does is have the user agents be honest and ethically inform their users of the properties of their current connection.
>
> We don't need to find bugs in Chrome to ask why it's necessary to force everyone to use HTTPS. What we need is a valid argument for why everyone should do that.
> To unsubscribe from this group and stop receiving emails from it, send an email to securi...@chromium.org.
>
> Access point security is not all about who is sniffing unsecure connections, so forcing us to use only secure connections on the pretext that it makes us all safer just doesn't work as an argument in favor of Google's proposal.
>
>
> --
> Michael Martinez
> http://www.michael-martinez.com/
>
> YOU CAN HELP OUR WOUNDED WARRIORS
> http://www.woundedwarriorproject.org/
>
On Thu, Dec 18, 2014 at 4:22 PM, Michael Martinez <michael...@xenite.org> wrote:The first article describes a Double Direct attack, which is an alternative to ARP poisoning. HTTPS won't defend against the Double Direct method.
Sorry, but you're basing the claim that HTTPS won't defend against it on what? Do you understand how IP routing tables work and what the security consequences of hijacking the IP transit of HTTPS connections are? In particular, do you understand how it affects SSL certificate host validation?
On Thu, Dec 18, 2014 at 4:18 PM, Monica Chew <m...@mozilla.com> wrote:
> On Thu, Dec 18, 2014 at 12:27 PM, Chris Palmer <pal...@google.com> wrote:
>>
>> On Thu, Dec 18, 2014 at 12:12 PM, Monica Chew <m...@mozilla.com> wrote:
>>
>> > I support the goal of this project, but I'm not sure how we can get to a
>> > point where showing warning indicators makes sense. It seems that about
>> > 67%
>> > of pageviews on the Firefox beta channel are http, not https. How are
>> > Chrome's numbers?
>>
>> Currently, roughly 58% of top-level navigations in Chrome are HTTPS.
navigations (fragment change, pushState) as top-level navigations.
I added Navigation.MainFrameSchemeDifferentPage recently which
excludes these navigations, and the fraction of navigations that are
https is significantly lower.
This has only made it to dev channel, so I'm hesitant to put too much
weight on the results at this point. But it might at least be
consistent.
That being said, I'd prefer metrics which would be "Mean Active
Browsing Time Between Warnings" rather than page load based metrics -
both because they may be easier to be consistent, and because it's
possibly closer to a measure of warning fatigue.
>
>>
>>
>> > Security warnings are often overused and therefore ignored [1]; it's
>> > even
>> > worse to provide a warning for something that's not actionable. I think
>> > we'd
>> > have to see very low plaintext rates (< 1%) in order not to habituate
>> > users
>> > into ignoring a plaintext warning indicator.
>>
>> (a) Users are currently habituated to treat non-secure transport as
>> OK. The status quo is terrible.
>>
>> (b) What Peter Kasting said: we propose a passive indicator, not a
>> pop-up or interstitial.
> Monica
> On Thu, Dec 18, 2014 at 12:27 PM, Chris Palmer <pal...@google.com> wrote:
>>
>> On Thu, Dec 18, 2014 at 12:12 PM, Monica Chew <m...@mozilla.com> wrote:
>>
>> > I support the goal of this project, but I'm not sure how we can get to a
>> > point where showing warning indicators makes sense. It seems that about
>> > 67%
>> > of pageviews on the Firefox beta channel are http, not https. How are
>> > Chrome's numbers?
>>
>> Currently, roughly 58% of top-level navigations in Chrome are HTTPS.
>It's possible this is due to Firefox not counting same-frame
>
> Thanks for the numbers. That's a significant gap (58% vs 33%). Do you have
> any idea why this might be the case?
navigations (fragment change, pushState) as top-level navigations.
I added Navigation.MainFrameSchemeDifferentPage recently which
excludes these navigations, and the fraction of navigations that are
https is significantly lower.
This has only made it to dev channel, so I'm hesitant to put too much
weight on the results at this point. But it might at least be
consistent.
That being said, I'd prefer metrics which would be "Mean Active
Browsing Time Between Warnings" rather than page load based metrics -
both because they may be easier to be consistent, and because it's
possibly closer to a measure of warning fatigue.
>
>>
>>
>> > Security warnings are often overused and therefore ignored [1]; it's
>> > even
>> > worse to provide a warning for something that's not actionable. I think
>> > we'd
>> > have to see very low plaintext rates (< 1%) in order not to habituate
>> > users
>> > into ignoring a plaintext warning indicator.
>>
>> (a) Users are currently habituated to treat non-secure transport as
>> OK. The status quo is terrible.
>>
>> (b) What Peter Kasting said: we propose a passive indicator, not a
>> pop-up or interstitial.
>> Firefox's case). Other passive indicators (e.g., Prop 65 warnings if you
>
> I understand the desire here, but a passive indicator is not going to change
> the status quo if it's shown 42% of the time (or 67% of the time, in
> live in California, or compiler warnings that aren't failures) haven't> succeeded in changing the status quo. Again, what's the action that typical
> users are going to take when they see a passive indicator?> Thanks,
>
> Monica
I have been asked offlist to stand down for at least a day to let this
discussion cool down. And it's obvious that those of you who are
defending TLS against nothing I have said are tuning out what I am
trying to say. This WILL be my last reply even though I know there are
other responses that really are missing the point.
proposal to flag all non-secure Websites to the security lists. In
responding to their proposal I have shown you multiple examples of how
user privacy is violated in spite of the use of TLS. It's not that TLS
doesn't work. It's that it is being used in a system that is full of holes.
People who use their work networks to browse the Web have to accept that
their employers have a legal right to monitor their activity; if they
are in a public wifi spot and they connect to the wrong router, they are
hosed. Even in a secure connection the employers and bad guys can still
see where the packets are going if they control access point.
I don't care how much TLS is improved from this point on (because in the
end I have to trust my credit card data with the idiot storing that data
in an unencrypted database that isn't properly firewalled). I do care
about whether the security community joins Google's campaign to convert
the Web to using a protocol that is totally inappropriate in situations
where no secure data exchange is required. Sure, I get that a Website
login can be sniffed in a public wifi spot; that is why hackers use
methods to bypass TLS protections.
I ask that if you want to respond to me, then respond to my questions.
Please don't bring up TLS and Chrome again. That isn't what this is about.
Website owners will want to know why users should not trust their sites
when they don't ask for or require credit card information. This
proposal is part of Google's long-term campaign to change the entire
Web. They have yet to explain why the Web needs to get off of HTTP.
The fact a small percentage of people don't want anyone to know what
sites they browse isn't good enough.
There is nothing ethical in Google's proposal. It is a dirty, underhanded propaganda tactic that sidesteps a fair and open public discussion with the people who will be most affected. They are enticing the security community into supporting a sweeping change without fully explaining WHY they want it or why it should even be expected to provide any benefit.
Earlier this year Google disclosed that it was giving a slight boost in its search results to Websites that use HTTPS. Many marketers immediately began discussing the implications of this algorithmic change but they don't know how to do the math.
If the same boost is applied to every site then the signal washes out in the mix. But it is a carrot that Google has dangled in front of the donkeys.
They love to dangle carrots. See those carrots for what they are. DEMAND A FULL EXPLANATION FROM GOOGLE for why this proposal should be adopted.
discussion cool down. And it's obvious that those of you who are
defending TLS against nothing I have said are tuning out what I am
trying to say. This WILL be my last reply even though I know there are
other responses that really are missing the point.
This has nothing to do with whether TLS works. Google brought its
On 12/18/2014 7:54 PM, Donald Stufft wrote:
> Agreed. The paper only looks at mobile apps, of which only some were found to be compromised. But those of you responding with objections are completely missing the point. Google wants everyone to switch over to using secure protocols and the execution will not only never be perfect, the hackers already have sufficient information about how the SYSTEM works that they are seeking other ways to bypass the security. All they have to do is insert a rogue proxy somewhere in the middle, and they can do that in a lot of different ways.
> You’re missing a step here, “All they have to do is insert a rogue proxy somewhere in the middle AND either get a certificate incorrectly issued to them (really hard to do) or the client software in question needs to not properly implement TLS. In this as far as anyone is currently aware Chrome (and Mozilla, and all the major browsers) are currently implementing TLS correctly so unless someone finds a bug there (which would be promptly fixed) and the CA vendors are not currently mis-issuing certificates.
proposal to flag all non-secure Websites to the security lists. In
responding to their proposal I have shown you multiple examples of how
user privacy is violated in spite of the use of TLS. It's not that TLS
doesn't work. It's that it is being used in a system that is full of holes.
People who use their work networks to browse the Web have to accept that
their employers have a legal right to monitor their activity; if they
are in a public wifi spot and they connect to the wrong router, they are
hosed. Even in a secure connection the employers and bad guys can still
see where the packets are going if they control access point.
I don't care how much TLS is improved from this point on (because in the
end I have to trust my credit card data with the idiot storing that data
in an unencrypted database that isn't properly firewalled). I do care
about whether the security community joins Google's campaign to convert
the Web to using a protocol that is totally inappropriate in situations
where no secure data exchange is required. Sure, I get that a Website
login can be sniffed in a public wifi spot; that is why hackers use
methods to bypass TLS protections.
I ask that if you want to respond to me, then respond to my questions.
Please don't bring up TLS and Chrome again. That isn't what this is about.
Website owners will want to know why users should not trust their sites
when they don't ask for or require credit card information. This
proposal is part of Google's long-term campaign to change the entire
Web. They have yet to explain why the Web needs to get off of HTTP.
The fact a small percentage of people don't want anyone to know what
sites they browse isn't good enough.
It's an act of intimidation. You may not see it that way but many of the Website owners who have to deal with the implications of lost user trust DO. And how the victims of intimidation feel is very important in a discussion of the tools being used.
> Indicating that the connection isn’t secure isn’t forcing everyone to use HTTPS. Disabling HTTP access altogether would do that, but nobody is suggesting that. All this proposal really does is have the user agents be honest and ethically inform their users of the properties of their current connection.
There is nothing ethical in Google's proposal. It is a dirty, underhanded propaganda tactic that sidesteps a fair and open public discussion with the people who will be most affected. They are enticing the security community into supporting a sweeping change without fully explaining WHY they want it or why it should even be expected to provide any benefit.
Earlier this year Google disclosed that it was giving a slight boost in its search results to Websites that use HTTPS. Many marketers immediately began discussing the implications of this algorithmic change but they don't know how to do the math.
If the same boost is applied to every site then the signal washes out in the mix. But it is a carrot that Google has dangled in front of the donkeys.
They love to dangle carrots. See those carrots for what they are. DEMAND A FULL EXPLANATION FROM GOOGLE for why this proposal should be adopted.
On Thu, Dec 18, 2014 at 8:30 PM, Chris Bentzel <cben...@chromium.org> wrote:Sorry, I missed that Adrienne mentioned this earlier. And it looks
> On Thu, Dec 18, 2014 at 4:18 PM, Monica Chew <m...@mozilla.com> wrote:
>> On Thu, Dec 18, 2014 at 12:27 PM, Chris Palmer <pal...@google.com> wrote:
>>>
>>> On Thu, Dec 18, 2014 at 12:12 PM, Monica Chew <m...@mozilla.com> wrote:
>>>
>>> > I support the goal of this project, but I'm not sure how we can get to a
>>> > point where showing warning indicators makes sense. It seems that about
>>> > 67%
>>> > of pageviews on the Firefox beta channel are http, not https. How are
>>> > Chrome's numbers?
>>>
>>> Currently, roughly 58% of top-level navigations in Chrome are HTTPS.
>>
>>
>> Thanks for the numbers. That's a significant gap (58% vs 33%). Do you have
>> any idea why this might be the case?
>
> It's possible this is due to Firefox not counting same-frame
> navigations (fragment change, pushState) as top-level navigations.
like the code location that Monica pointed to would also not cover
this case which would explain the deviation. I also don't know if the
Firefox code would catch cases where main resource is served out of
browser cache, whereas Chrome's Navigation.MainFrameScheme and
Navigation.MainFrameSchemeDifferentPage do.
It would be great to see if Navigation.MainFrameSchemeDifferentPage
ends up close to what Firefox sees.
> Other passive indicators (e.g., Prop 65 warnings if youCitation needed...?
> live in California, or compiler warnings that aren't failures) haven't
> succeeded in changing the status quo.
For Prop 65, last paragraph of http://en.wikipedia.org/wiki/California_Proposition_65_%281986%29#Warning_label. For compiler warnings, just my own anecdotal experience that they aren't attended unless -Werror is true, even if the person compiling is in a position to fix the warning.
> Again, what's the action that typical
> users are going to take when they see a passive indicator?
First, keep in mind that you can't argue that showing the passive
indicator will be both ignored and crying wolf. It's one or the other.
Which argument are you making?
I'm making the argument that most people will ignore passive indicators, the ones who notice it will be frustrated because it's not actionable (other than not visiting the site), especially at the non-HTTPS traffic rates we are seeing, and that there are probably better ways to put pressure on site operators. Sorry if that wasn't clear.
Thanks,
Monica
Monica
On Thu, Dec 18, 2014 at 6:33 PM, Monica Chew <m...@mozilla.com> wrote:Users can take actions like these:
> I'm making the argument that most people will ignore passive indicators, the
> ones who notice it will be frustrated because it's not actionable (other
> than not visiting the site),
* Use the site, but maybe not grant it Geolocation or Camera permission
* Use the site, but be aware that it's not a great place to talk about
sensitive topics
* Use the site, but be aware that these stock price listings might not
be 100% true
* Use the site, but ask the operator why the browser thinks it's Non-Secure
* Use a competing site that does use secure transport
* Hug their real cat instead of looking at cats on the screen
Rather than thinking of it like California Proposition 65, think of it
like those health inspection stores that restaurants have to show:
http://sfscores.com/. Maybe a score of 63 isn't high enough for you,
or maybe you'll get something packaged or heavily cooked.
The truth is sometimes gross, but there are actions you can take.
This is a proposal to tell users the truth, and to stop lying by omission.
> especially at the non-HTTPS traffic rates we
> are seeing, and that there are probably better ways to put pressure on site
> operators. Sorry if that wasn't clear.
If some users pressure site operators (either with tech support calls
or by exerting market pressure), or if site operators decide
unilaterally that they don't like the truth and then choose to fix it,
that is a second-order effect. A good second-order effect which makes
me happy, but it's not my primary goal with this proposal.
On 18/12/14 19:29, Chris Palmer wrote:
> We don't currently have any hard thresholds, just numbers that I kind
> of made up. Any suggestions?
>
> Also, shall we measure resource loads, top-level navigations, minutes
> spent looking at the top-level origin, ...? Probably all of those and
> more...
Very good questions. All of those are interesting metrics; it would be
interesting to try and see, on a small scale, if any of the
harder-to-measure ones actually track the easier-to-measure ones! :-)
I'd say top-level is key, as that's what the UI indicators relate to.
Probably site count is a bit more important than minutes spent - and
easier and less privacy-invasive to track, to boot.
Gerv
> We don't currently have any hard thresholds, just numbers that I kind
> of made up. Any suggestions?
>
> Also, shall we measure resource loads, top-level navigations, minutes
> spent looking at the top-level origin, ...? Probably all of those and
> more...
Very good questions. All of those are interesting metrics; it would be
interesting to try and see, on a small scale, if any of the
harder-to-measure ones actually track the easier-to-measure ones! :-)
I'd say top-level is key, as that's what the UI indicators relate to.
Probably site count is a bit more important than minutes spent - and
easier and less privacy-invasive to track, to boot.
Gerv
Good Afternoon,
I have read the proposal regarding marking HTTP as non-secure. I feel that it is a good step to let users know when their information is not secure, however I also feel that applying this across the board may be too broad of stroke.
If users are on sites that are transmitting any personally identifiable information, such as geo-location information, name, address, telephone, etc., to a non-secure site that the user should definitely be informed. However there are also plenty of cases where a site may not employ HTTPS that the user does not necessarily need to be notified about. Good examples of this may be news sites, blogs, etc., where a user does not need to login or provide any other information. In these cases (where no data is being transmitted) HTTPS is not necessary and if users are being warned about every site they are going to (that doesn't use HTTPS and doesn't transmit any data), I believe a lot of users will start ignoring the warning (or call their IT company) and then the warning will provide no additional benefit.
If possible, I believe this the warning would be better used in cases where a user is on a site not using HTTPS but is still transmitting personal information (location, name, telephone, etc.) in addition to login pages not using HTTPS. I don't know the feasibility for this, but I strongly feel that the more specific the warning could be (instead of just every HTTP site), the more useful they will and will hopefully users will be more attentive to them when they appear.
Thank You,
Dominick Marciano
Programmer/IT Consultant
While the transmission of data is indeed an active concern, I believe you underestimate the risks and attacks posed by the mere passive receipt of data.
This could be the viewing of a video that is contrarian to local authorities. It could be reading an article on reproductive health or religious beliefs that are contrary to local norms. Revealing this information could get you in "trouble", for some definition of trouble.
You could be reading the news and using the information as part of your investment and long-term planning. An attacker who can modify this can convince you that the sky is falling - or that there is a grand new investment opportunity.
You could be reading a blog, but which an attacker changes the content to suggest the blogger is endorsing or holding views contrary to what they really hold.
You could be just browsing the web, and a pervasive passive monitor could use this to build a profile of you, to track your related experiences on a variety of sites, to cross-reference your interactions, and then declare you a "threat" for otherwise benign interactions.
You could be reading a website supported by advertising, but that advertising might be rewritten to credit the attacker, rather than the site you're reading. Over time, the site you're reading may need to shut down, because all of their revenue has been stolen by attackers.
The reality is that the confidentiality, integrity, and authenticity of the content matters just as much for the receiver as it does the sender. This is not merely being done solely for privacy grounds - but even if it was, that goal would only be achievable if the response was as protected as the request.
The other reality is that the mere act of an HTTP Request leaks a lot of ambient state that is not intuitively associable with a user's action or intent. Further, when you consider cookies, any proposal to do it heuristically on the request devolves quickly into doing it for (effectively) every request. This proposal not only simplifies what is expected of developers AND vastly simplifies what is messaged to users, but it can provide real protection.
However, even on top of all that, this proposal is not explicitly geared towards any of what I said - even though it is all true. It is about ensuring user agents do not mislead users about the state of the connection, as they have for so long, implying through omission that their connections are secure or private. For whatever attacks there may be on HTTPS, whether implementation to operation, whatever attacks there may be on the content, such as XSS or CSRF, it is unquestionable that HTTP is an insecure transport that offers zero confidentiality, zero integrity, and zero authenticity, and user agents should appropriately reflect that hard truth.
From: blin...@chromium.org [mailto:blin...@chromium.org] On Behalf Of Dominick Marciano
For example, if http://example-company.com is transmitted over HTTP instead of HTTPS, any network attacker can modify the page to insert inaccurate, misleading, and harmful statements about Example Company's products, leadership, plans, or stock price.
Similarly, if http://example-news.com or http://example-blog.com is transmitted over HTTP instead of HTTPS, any network attacker can modify the news to insert false news, opinions, product reviews, or advertisements.
Finally, in all cases, network attackers can use the insecure connection to insert additional tracking, advertising, and privacy-invading devices into the page, as well as simply track the traffic flow itself (without any modifications).
And in all cases, "network attacker" does not mean someone is out to get you. It means you are sitting in a public wifi hotspot and someone is running a broad program to modify the traffic of all users, or you are using an ISP with less-than-stellar morals, or you are subject to government surveillance by virtue of e.g. living in the USA. If a user is using the free wifi at a coffee-shop inside a bookstore, users should be told that the prices on Amazon.com might be artificially jacked up by virtue of network traffic modification. If users are using the free WiFi inside Airline X's terminal, they should be told that if Airline Y serves their page over HTTP, the 404s they might be getting trying to book flights over on that site might not be entirely legitimate. Etc.
In all cases the user has no way of telling that the attacker modified the connection. Thus, it seems very wise to be honest with the user, and tell them that the connection is insecure and that nothing they see on the page can be trusted.
I see this misconception a lot, that you don't need HTTPS for sites which the user doesn't interact with in some "sensitive" way. This is just false.
> If users are on sites that are transmitting any personally identifiable information, such as geo-location information, name, address, telephone, etc., to a non-secure site that the user should definitely be informed. However there are also plenty of cases where a site may not employ HTTPS that the user does not necessarily need to be notified about. Good examples of this may be news sites, blogs, etc., where a user does not need to login or provide any other information.
For example, if http://example-company.com is transmitted over HTTP instead of HTTPS, any network attacker can modify the page to insert inaccurate, misleading, and harmful statements about Example Company's products, leadership, plans, or stock price.
Similarly, if http://example-news.com or http://example-blog.com is transmitted over HTTP instead of HTTPS, any network attacker can modify the news to insert false news, opinions, product reviews, or advertisements.
Finally, in all cases, network attackers can use the insecure connection to insert additional tracking, advertising, and privacy-invading devices into the page, as well as simply track the traffic flow itself (without any modifications).
And in all cases, "network attacker" does not mean someone is out to get you. It means you are sitting in a public wifi hotspot and someone is running a broad program to modify the traffic of all users, or you are using an ISP with less-than-stellar morals, or you are subject to government surveillance by virtue of e.g. living in the USA. If a user is using the free wifi at a coffee-shop inside a bookstore, users should be told that the prices on Amazon.com might be artificially jacked up by virtue of network traffic modification. If users are using the free WiFi inside Airline X's terminal, they should be told that if Airline Y serves their page over HTTP, the 404s they might be getting trying to book flights over on that site might not be entirely legitimate. Etc.
In all cases the user has no way of telling that the attacker modified the connection. Thus, it seems very wise to be honest with the user, and tell them that the connection is insecure and that nothing they see on the page can be trusted.
TLS does more things than just provide secrecy about information that the user is sending *to* the site.
For example, you mentioned the news. The integrity of the content of that site is extremely important. Maybe the news is posting locations and times when polls are opening for elections, or maybe there is an article talking about the performance of some companies and someone goes and uses that information to make a purchasing decision.
You’ve also mentioned blogs, It’s not unusual that I personally read some technical blogs and in the course of that they may describe commands that I should run to try something out that they are describing. Without checking the integrity of that a MITM could easily change those commands to do something malicious instead of what the blog post claims they are.
Beyond integrity, a completely anonymous HTTP request (No cookies, no geo-location, etc) can also provide some incredibly personal information. Maybe the person in question is looking up information on having a particular medical condition and now a MITM can easily see that this person went to a local doctor’s website, then went to a few websites about dealing with a specific condition, then went to a specialists website.
It’s incredibly difficult to look at any one particular website and say that all of the data that is contained within that website, all of the data that a user might send to that website, and all of the traffic analysis that shows what part of that website the user went to isn’t sensitive personal information. Given that there’s no way to determine what is important to the end user or not, there’s no real way around letting the end user make that decision. Making a decision requires being informed and what this proposal really does is tell the users the truth so they can make that informed decision instead of lying to them by omission.
---Donald StufftPGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
I adapted Ryan's reply to be a new FAQ answer in the Chromium wiki:
https://sites.google.com/a/chromium.org/dev/Home/chromium-security/education/tls?pli=1#TOC-The-only-security-guarantee-TLS-provides-is-confidentiality.
https://sites.google.com/a/chromium.org/dev/Home/chromium-security/education/tls?pli=1#TOC-The-only-security-guarantee-TLS-provides-is-confidentiality.
Why not shift the onus from the user to the site operators? I would love to see a "wall of shame" for the Alexa top 1M sites that don't support HTTPS,
Just to follow up on this, from section 5.4 of http://randomwalker.info/publications/cookie-surveillance-v2.pdf, 87% of the sites from Alexa top 500 serve HTTP by default, and 66% of them don't serve HTTPS at all, as measured by using HTTPS-Everywhere.
Thanks,
Monica
Thanks,
Monica
redirect HTTPS to HTTP, and don't support HSTS. Perhaps search providers could use those to penalize rankings, as Google already does for non HTTPS sites. Efforts to make it cheap and easy to deploy HTTPS also need to advance.
Thanks,
Monica
[1] http://lorrie.cranor.org/pubs/sslwarnings.pdfOn Fri, Dec 12, 2014 at 4:46 PM, Chris Palmer <pal...@google.com> wrote:Hi everyone,
Apologies to those of you who are about to get this more than once, due to
the cross-posting. I'd like to get feedback from a wide variety of people:
UA developers, web developers, and users. The canonical location for this
proposal is:
https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure.
Proposal
We, the Chrome Security Team, propose that user agents (UAs) gradually
change their UX to display non-secure origins as affirmatively non-secure.
We intend to devise and begin deploying a transition plan for Chrome in
2015.
The goal of this proposal is to more clearly display to users that HTTP
provides no data security.
Request
We’d like to hear everyone’s thoughts on this proposal, and to discuss with
the web community about how different transition plans might serve users.
Background
We all need data communication on the web to be secure (private,
authenticated, untampered). When there is no data security, the UA should
explicitly display that, so users can make informed decisions about how to
interact with an origin.
Roughly speaking, there are three basic transport layer security states for
web origins:
-
Secure (valid HTTPS, other origins like (*, localhost, *));
-
Dubious (valid HTTPS but with mixed passive resources, valid HTTPS with
minor TLS errors); and
-
Non-secure (broken HTTPS, HTTP).
For more precise definitions of secure and non-secure, see Requirements for
Powerful Features <http://www.w3.org/TR/powerful-features/> and Mixed
Content <http://www.w3.org/TR/mixed-content/>.
We know that active tampering and surveillance attacks, as well as passive
surveillance attacks, are not theoretical but are in fact commonplace on
the web.
RFC 7258: Pervasive Monitoring Is an Attack
<https://tools.ietf.org/html/rfc7258>
NSA uses Google cookies to pinpoint targets for hacking
<http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/10/nsa-uses-google-cookies-to-pinpoint-targets-for-hacking/>
Verizon’s ‘Perma-Cookie’ Is a Privacy-Killing Machine
<http://www.wired.com/2014/10/verizons-perma-cookie/>
How bad is it to replace adSense code id to ISP's adSense ID on free
Internet?
<http://stackoverflow.com/questions/25438910/how-bad-is-it-to-replace-adsense-code-id-to-isps-adsense-id-on-free-internet>
Comcast Wi-Fi serving self-promotional ads via JavaScript injection
<http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/>
Erosion of the moral authority of transparent middleboxes
<https://tools.ietf.org/html/draft-hildebrand-middlebox-erosion-01>
Transitioning The Web To HTTPS <https://w3ctag.github.io/web-https/>
We know that people do not generally perceive the absence of a warning sign.
(See e.g. The Emperor's New Security Indicators
<http://commerce.net/wp-content/uploads/2012/04/The%20Emperors_New_Security_Indicators.pdf>.)
Yet the only situation in which web browsers are guaranteed not to warn
users is precisely when there is no chance of security: when the origin is
transported via HTTP. Here are screenshots of the status quo for non-secure
domains in Chrome, Safari, Firefox, and Internet Explorer:
[image: Screen Shot 2014-12-11 at 5.08.48 PM.png]
[image: Screen Shot 2014-12-11 at 5.09.55 PM.png]
[image: Screen Shot 2014-12-11 at 5.11.04 PM.png]
[image: ie-non-secure.png]
Particulars
UA vendors who agree with this proposal should decide how best to phase in
the UX changes given the needs of their users and their product design
constraints. Generally, we suggest a phased approach to marking non-secure
origins as non-secure. For example, a UA vendor might decide that in the
medium term, they will represent non-secure origins in the same way that
they represent Dubious origins. Then, in the long term, the vendor might
decide to represent non-secure origins in the same way that they represent
Bad origins.
Ultimately, we can even imagine a long term in which secure origins are so
widely deployed that we can leave them unmarked (as HTTP is today), and
mark only the rare non-secure origins.
There are several ways vendors might decide to transition from one phase to
the next. For example, the transition plan could be time-based:
1.
T0 (now): Non-secure origins unmarked
2.
T1: Non-secure origins marked as Dubious
3.
T2: Non-secure origins marked as Non-secure
4.
T3: Secure origins unmarked
Or, vendors might set thresholds based on telemetry that measures the
ratios of user interaction with secure origins vs. non-secure. Consider
this strawman proposal:
1.
Secure > 65%: Non-secure origins marked as Dubious
2.
Secure > 75%: Non-secure origins marked as Non-secure
3.
Secure > 85%: Secure origins unmarked
The particular thresholds or transition dates are very much up for
discussion. Additionally, how to define “ratios of user interaction” is
also up for discussion; ideas include the ratio of secure to non-secure
page loads, the ratio of secure to non-secure resource loads, or the ratio
of total time spent interacting with secure vs. non-secure origins.
We’d love to hear what UA vendors, web developers, and users think. Thanks
for reading!
_______________________________________________
dev-security mailing list
dev-se...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
On Fri, Dec 19, 2014 at 1:34 PM, Monica Chew <m...@mozilla.com> wrote:Why not shift the onus from the user to the site operators? I would love to see a "wall of shame" for the Alexa top 1M sites that don't support HTTPS,Just to follow up on this, from section 5.4 of http://randomwalker.info/publications/cookie-surveillance-v2.pdf, 87% of the sites from Alexa top 500 serve HTTP by default, and 66% of them don't serve HTTPS at all, as measured by using HTTPS-Everywhere.
Thanks,
Monica
Shaming operators of unencrypted sites completely muddies the message and makes it looks like this effort is about coercing site operators into using HTTPS rather than being about directly improving user experience.
In current implementations, there's no signaling by the browser to say "this site isn't encrypted." There's the *absence* of signaling about security, but that's not the same thing as positively saying that a site was delivered over an insecure channel.
This is pretty critical because in the absence of clear messaging, you're relying on the site to be conscientious and forthcoming about the security of their transport. If I go to download.com to find an antivirus (not to pick on cnet, but it's a common example) I see nothing to tell me that the connection is insecure; the browser's not alerting me and the site isn't going to volunteer that tidbit either -- nothing to show me that my security software may be tampered with in transit. Sites are free to make their own assertions of security without being contradicted by the browser, even though the browser knows better.
As has been pointed out, the browser can't tell whether a site is safe or trustworthy or follows all the necessary best-practices; nobody can reliably, and that's not the browser's job. But the browser CAN tell whether the connection to that site is secured. That's its job. And right now it's only doing half of that job, giving positive feedback but not negative. By affirmatively identifying insecurity, we can close that loop and give the user complete and unambiguous messaging about the security of his connection.
This isn't about shaming unencrypted sites or coercing everyone to adopt TLS; it's about delivering to the user the information he expects. If site owners respond by adding encryption, that's not a bad result. But we can't make this about forcing sites to change their security posture. Sites are still free to deliver content insecurely; that's not changing. All that's changing is that browsers will no longer overlook the very real threat of tampering and abuse of that connection.
-tylerl
In 1975 I landed my first programming job writing little programs on a
mainframe computer. We had excellent security then. You had to submit
your punch cards at the window and the computer operators took them and
fed them to the machine. 30-60 minutes later you got your printout. If
you were lucky they matched your printout with your punch cards. But
other than that no one in the building knew who I was.
Whole generations of computer technology have come and gone since then
and now I use laptops and smart phones. Now I submit my requests via a
browser or an app to some software on the other side (the computer
operator fellow no longer has a job) and if I am lucky no one has
modified the software on the other end, installed spyware on my
computer, or is capturing my packets. But now the Internet Service
Provider for the access point tracks my activity; whoever owns the
router I'm connected to may track my activity; the Web server or app
server tracks my actvity; the advertising networks track my activity;
and if anyone has compromised any of those potential data collection
points, they can track my activity; and if any of those parties wish to
sell my activity data (and many do) then third parties can also track my
activity.
Enter into this picture the mistaken notion of "secure Websites".
Websites are not secure. There is no such thing. We have encrypted
transmission protocols. We can encrypt the contents that Websites or
app servers send to users, but nothing is *secure*.
Today the browsers tell us we are connected to a "secure" Website with a
little marker. "That's a lie," some of you say. Quite true. It's
dishonest. So now we have a proposal to change the browsers to suggest
to the user that a Website is NOT *secure*, even though that judgment is
made on the basis of one factor: the lack of an encrypted connection.
The implication is that any site not so designated must be *secure*,
which is telling the same lie all over again.
Meanwhile, some of you have expressed concern that your activity in a
coffee shop may be monitored or altered without your knowledge if you
connect to Websites via an unecrypted connection. Fortunately, we can
point to funny little tools like Bacolicious that alter (and monitor)
people's surfing activity even over HTTPS. There are many "reader"
sites that also do this, perhaps loading Web content into a frame, or
maybe launching a window, or both. So that's two ways that anyone can
get around the supposed privacy that surfing via HTTPS confers.
Of course, the packet envelopes aren't encrypted, are they? So if you
really want to prevent anyone from seeing that you're visiting CNN
you're stuck. Somebody somewhere can see the packets. So the whole idea
of defending browser privacy is a washout. In most cases (maybe) no one
is listening for those packets but we know that in some cases criminals
are trying to steal user data (logins, credit cards, whatever they can
grab). The worst-case scenario does happen. That's a given.
So how is marking some Websites as "non-secure" (they all are) improving
the situation? Shaming Website owners for not using encrypted
connections, especially when your only concern is that you don't want
some random stranger to see that you are reading a blog, is not acceptable.
First of all, no one has the moral right to shame other people for not
using encrypted protocols when they are writing about their personal
interests.
Secondly, demanding that the world conform to your expectations of
privacy and then insisting that everyone else bear that burden for your
convenience is also unacceptable.
If you have the power to change the Web, and if you take it upon
yourselves to change the Web, then you owe it to everyone else to explain:
1) WHY it's necessary to do this (protecting your personal browsing
habits does not count)
2) Why THEY are responsible for making the changes YOU want (your
inability to do it for them doesn't count)
3) What is at stake if they resist your mandate
It's only fair (and ethical) to educate the broader community about what
is being proposed and to make a fair and honest business case for it.
They don't owe you a dream experience in secure protocol. Furthermore,
they are going to be very upset with you when their Websites continue to
be hacked, their personal data that was supposedly "protected" by HTTPS
is stolen, and they have to bear THAT burden without any help from you
as well.
The Internet is far from a perfect thing. No one foresaw all the
innovations that would grow from connecting two machines together at
Berkeley. No one foresaw these great debates about what is morally
acceptable, what is necessary to prevent theft and fraud, and privacy.
The technology was not designed for privacy. It was designed to make it
easier to share information. That is what the Internet does.
We added security protocols here and there to protect what can be
protected, but the protections are ephemeral. HTTPS guards the bridges
and intersections on a long highway, and maybe they do need to be
guarded because those are high risk points, but the rest of the highway
is still vulnerable.
Before you push the world to adopt HTTPS for everything, spend some time
looking at the big picture. In 20-30 years some of you will be in my
position, speaking for the people who don't know enough to speak for
themselves. You have an opportunity here NOT to repeat the pattern of
glib mistakes that has brought us down the road to a conglomeration of
technological solutions that don't all work together.
There will be pushback from the Web community. They will be constrained
by a lack of resources, if nothing else. That lack can be remedied with
some changes in the way security certificates are handled, but there
will also be expenses, and many small Website owners don't make any
money from their sites. They want their own domain names, their own
cheap hosting solutions, and they don't care about whether you feel safe
reading CNN in a coffee shop over public WiFi.
It might be better for the browser developers (the UA owners) to think
in terms of validating the connection to the Website, and not simply in
terms of validating the protocol being used to connect to the Website.
Man-in-the-Middle attacks still afflict people trying to reach HTTPS
Websites, even if you believe it's only because they are clicking past
invalid security certificate warnings, unintentionally installing
malware, or whatever.
The point is, HTTPS only slows the pace of MITM attacks against the user
community. It doesn't stop it.
How do you validate a connection? That will take some thought. Maybe
every URL can return a checksum that is compared to a remotely hosted
checksum (much like DNS and security certificates). If the browser
cannot retrieve a checksum from the requested URL or if the checksums
don't match, you give the user some options.
Better detection of proxy attacks from the browser would also help. The
average user won't know what is going on but if the browser can detect a
compromised connection then why not simply break it? I would not expect
100% certainty but the user can always try again.
If marking HTTPS Websites as "secure" doesn't work (largely because of
the widespread ignorance in the general population) then why would you
expect the alternative of marking HTTP sites as "UNsecure" to work? The
message will be lost on the masses.
There is no easy solution to the problem. Please don't try to force
something like this on everyone else. You need to take their needs and
concerns into consideration, too. They already have to live with the
consequences of not knowing which Web services are best for them.
Having to deal with user mistrust because the browser raised an issue
about "security" is just one more hassle that will not make the Web a
safer place.
Keep HTTPS where it is until you can solve all the other problems,
because promising to make the Web safer for everyone is much easier than
actually doing it.
mainframe computer. We had excellent security then. You had to submit
your punch cards at the window and the computer operators took them and
fed them to the machine. 30-60 minutes later you got your printout. If
you were lucky they matched your printout with your punch cards. But
other than that no one in the building knew who I was.
Whole generations of computer technology have come and gone since then
and now I use laptops and smart phones. Now I submit my requests via a
browser or an app to some software on the other side (the computer
operator fellow no longer has a job) and if I am lucky no one has
modified the software on the other end, installed spyware on my
computer, or is capturing my packets. But now the Internet Service
Provider for the access point tracks my activity; whoever owns the
router I'm connected to may track my activity; the Web server or app
server tracks my actvity; the advertising networks track my activity;
and if anyone has compromised any of those potential data collection
points, they can track my activity; and if any of those parties wish to
sell my activity data (and many do) then third parties can also track my
activity.
Enter into this picture the mistaken notion of "secure Websites".
Websites are not secure. There is no such thing. We have encrypted
transmission protocols. We can encrypt the contents that Websites or
app servers send to users, but nothing is *secure*.
Today the browsers tell us we are connected to a "secure" Website with a
little marker. "That's a lie," some of you say. Quite true. It's
dishonest. So now we have a proposal to change the browsers to suggest
to the user that a Website is NOT *secure*, even though that judgment is
made on the basis of one factor: the lack of an encrypted connection.
The implication is that any site not so designated must be *secure*,
which is telling the same lie all over again.
Meanwhile, some of you have expressed concern that your activity in a
coffee shop may be monitored or altered without your knowledge if you
connect to Websites via an unecrypted connection. Fortunately, we can
point to funny little tools like Bacolicious that alter (and monitor)
people's surfing activity even over HTTPS. There are many "reader"
sites that also do this, perhaps loading Web content into a frame, or
maybe launching a window, or both. So that's two ways that anyone can
get around the supposed privacy that surfing via HTTPS confers.
Of course, the packet envelopes aren't encrypted, are they? So if you
really want to prevent anyone from seeing that you're visiting CNN
you're stuck. Somebody somewhere can see the packets. So the whole idea
of defending browser privacy is a washout. In most cases (maybe) no one
is listening for those packets but we know that in some cases criminals
are trying to steal user data (logins, credit cards, whatever they can
grab). The worst-case scenario does happen. That's a given.
So how is marking some Websites as "non-secure" (they all are) improving
the situation? Shaming Website owners for not using encrypted
connections, especially when your only concern is that you don't want
some random stranger to see that you are reading a blog, is not acceptable.
First of all, no one has the moral right to shame other people for not
using encrypted protocols when they are writing about their personal
interests.
Secondly, demanding that the world conform to your expectations of
privacy and then insisting that everyone else bear that burden for your
convenience is also unacceptable.
If you have the power to change the Web, and if you take it upon
yourselves to change the Web, then you owe it to everyone else to explain:
1) WHY it's necessary to do this (protecting your personal browsing
habits does not count)
2) Why THEY are responsible for making the changes YOU want (your
inability to do it for them doesn't count)
3) What is at stake if they resist your mandate
It's only fair (and ethical) to educate the broader community about what
is being proposed and to make a fair and honest business case for it.
They don't owe you a dream experience in secure protocol. Furthermore,
they are going to be very upset with you when their Websites continue to
be hacked, their personal data that was supposedly "protected" by HTTPS
is stolen, and they have to bear THAT burden without any help from you
as well.
The Internet is far from a perfect thing. No one foresaw all the
innovations that would grow from connecting two machines together at
Berkeley. No one foresaw these great debates about what is morally
acceptable, what is necessary to prevent theft and fraud, and privacy.
The technology was not designed for privacy. It was designed to make it
easier to share information. That is what the Internet does.
We added security protocols here and there to protect what can be
protected, but the protections are ephemeral. HTTPS guards the bridges
and intersections on a long highway, and maybe they do need to be
guarded because those are high risk points, but the rest of the highway
is still vulnerable.
Before you push the world to adopt HTTPS for everything, spend some time
looking at the big picture. In 20-30 years some of you will be in my
position, speaking for the people who don't know enough to speak for
themselves. You have an opportunity here NOT to repeat the pattern of
glib mistakes that has brought us down the road to a conglomeration of
technological solutions that don't all work together.
There will be pushback from the Web community. They will be constrained
by a lack of resources, if nothing else. That lack can be remedied with
some changes in the way security certificates are handled, but there
will also be expenses, and many small Website owners don't make any
money from their sites. They want their own domain names, their own
cheap hosting solutions, and they don't care about whether you feel safe
reading CNN in a coffee shop over public WiFi.
It might be better for the browser developers (the UA owners) to think
in terms of validating the connection to the Website, and not simply in
terms of validating the protocol being used to connect to the Website.
Man-in-the-Middle attacks still afflict people trying to reach HTTPS
Websites, even if you believe it's only because they are clicking past
invalid security certificate warnings, unintentionally installing
malware, or whatever.
The point is, HTTPS only slows the pace of MITM attacks against the user
community. It doesn't stop it.
How do you validate a connection? That will take some thought. Maybe
every URL can return a checksum that is compared to a remotely hosted
checksum (much like DNS and security certificates). If the browser
cannot retrieve a checksum from the requested URL or if the checksums
don't match, you give the user some options.
Better detection of proxy attacks from the browser would also help. The
average user won't know what is going on but if the browser can detect a
compromised connection then why not simply break it? I would not expect
100% certainty but the user can always try again.
If marking HTTPS Websites as "secure" doesn't work (largely because of
the widespread ignorance in the general population) then why would you
expect the alternative of marking HTTP sites as "UNsecure" to work? The
message will be lost on the masses.
There is no easy solution to the problem. Please don't try to force
something like this on everyone else. You need to take their needs and
concerns into consideration, too. They already have to live with the
consequences of not knowing which Web services are best for them.
Having to deal with user mistrust because the browser raised an issue
about "security" is just one more hassle that will not make the Web a
safer place.
Keep HTTPS where it is until you can solve all the other problems,
because promising to make the Web safer for everyone is much easier than
actually doing it.
To be accurate, the browsers tell you that you are browsing via a secure connection, they do not say that the website itself is secure. See http://d.stufft.io/image/3p1x0r3Q3407 and http://d.stufft.io/image/0F1M1A2t0C35 and http://d.stufft.io/image/2G1F2g2j072G. In none of these do they make the claim that the website is secure, it’s just making the claim that the connection to the website is secure.
> On Dec 19, 2014, at 8:06 PM, Michael Martinez <michael...@xenite.org> wrote:
>
> In 1975 I landed my first programming job writing little programs on a mainframe computer. We had excellent security then. You had to submit your punch cards at the window and the computer operators took them and fed them to the machine. 30-60 minutes later you got your printout. If you were lucky they matched your printout with your punch cards. But other than that no one in the building knew who I was.
>
> Whole generations of computer technology have come and gone since then and now I use laptops and smart phones. Now I submit my requests via a browser or an app to some software on the other side (the computer operator fellow no longer has a job) and if I am lucky no one has modified the software on the other end, installed spyware on my computer, or is capturing my packets. But now the Internet Service Provider for the access point tracks my activity; whoever owns the router I'm connected to may track my activity; the Web server or app server tracks my actvity; the advertising networks track my activity; and if anyone has compromised any of those potential data collection points, they can track my activity; and if any of those parties wish to sell my activity data (and many do) then third parties can also track my activity.
>
> Enter into this picture the mistaken notion of "secure Websites". Websites are not secure. There is no such thing. We have encrypted transmission protocols. We can encrypt the contents that Websites or app servers send to users, but nothing is *secure*.
>
> Today the browsers tell us we are connected to a "secure" Website with a little marker. "That's a lie," some of you say. Quite true. It's dishonest. So now we have a proposal to change the browsers to suggest to the user that a Website is NOT *secure*, even though that judgment is made on the basis of one factor: the lack of an encrypted connection.
There is a vast difference from being able to see that someone visited CNN, and that someone visited CNN and read a specific article and possibly even modifying the content of that article.
>
> The implication is that any site not so designated must be *secure*, which is telling the same lie all over again.
>
> Meanwhile, some of you have expressed concern that your activity in a coffee shop may be monitored or altered without your knowledge if you connect to Websites via an unecrypted connection. Fortunately, we can point to funny little tools like Bacolicious that alter (and monitor) people's surfing activity even over HTTPS. There are many "reader" sites that also do this, perhaps loading Web content into a frame, or maybe launching a window, or both. So that's two ways that anyone can get around the supposed privacy that surfing via HTTPS confers.
>
> Of course, the packet envelopes aren't encrypted, are they? So if you really want to prevent anyone from seeing that you're visiting CNN you're stuck. Somebody somewhere can see the packets. So the whole idea of defending browser privacy is a washout. In most cases (maybe) no one is listening for those packets but we know that in some cases criminals are trying to steal user data (logins, credit cards, whatever they can grab). The worst-case scenario does happen. That's a given.
I think you’re fundamentally confused, I do not believe that anyone who is making this proposal is trying to force site operators to use HTTPS. They only want to be honest about whether the connection to the website is secure or not. Some people may be embarrassed by the truth and they may change that, some other people may not care and they’ll say that people can continue to view their site as HTTP only and that’s fine.
>
> So how is marking some Websites as "non-secure" (they all are) improving the situation? Shaming Website owners for not using encrypted connections, especially when your only concern is that you don't want some random stranger to see that you are reading a blog, is not acceptable.
Are you aware that this isn’t going to require people to click through any warnings? This is simply about changing the indicator on a HTTP site so that it reflects the insecure nature of the HTTP transport.
I think the answer to Why is because a browser should not lie to the user about whether or not the connection is secure. The user is free to decide if they want to continue browsing a site where the connection is not secure.
>
> First of all, no one has the moral right to shame other people for not using encrypted protocols when they are writing about their personal interests.
>
> Secondly, demanding that the world conform to your expectations of privacy and then insisting that everyone else bear that burden for your convenience is also unacceptable.
>
> If you have the power to change the Web, and if you take it upon yourselves to change the Web, then you owe it to everyone else to explain:
>
> 1) WHY it's necessary to do this (protecting your personal browsing habits does not count)
> 2) Why THEY are responsible for making the changes YOU want (your inability to do it for them doesn't count)
> 3) What is at stake if they resist your mandate
I really think you should learn what TLS is, what it provides, and how it works before continuing on in this discussion, because what TLS *IS* is a method for validating if a connection is secure. It has absolutely nothing to do with the website being served through it.
>
> It's only fair (and ethical) to educate the broader community about what is being proposed and to make a fair and honest business case for it. They don't owe you a dream experience in secure protocol. Furthermore, they are going to be very upset with you when their Websites continue to be hacked, their personal data that was supposedly "protected" by HTTPS is stolen, and they have to bear THAT burden without any help from you as well.
>
> The Internet is far from a perfect thing. No one foresaw all the innovations that would grow from connecting two machines together at Berkeley. No one foresaw these great debates about what is morally acceptable, what is necessary to prevent theft and fraud, and privacy. The technology was not designed for privacy. It was designed to make it easier to share information. That is what the Internet does.
>
> We added security protocols here and there to protect what can be protected, but the protections are ephemeral. HTTPS guards the bridges and intersections on a long highway, and maybe they do need to be guarded because those are high risk points, but the rest of the highway is still vulnerable.
>
> Before you push the world to adopt HTTPS for everything, spend some time looking at the big picture. In 20-30 years some of you will be in my position, speaking for the people who don't know enough to speak for themselves. You have an opportunity here NOT to repeat the pattern of glib mistakes that has brought us down the road to a conglomeration of technological solutions that don't all work together.
>
> There will be pushback from the Web community. They will be constrained by a lack of resources, if nothing else. That lack can be remedied with some changes in the way security certificates are handled, but there will also be expenses, and many small Website owners don't make any money from their sites. They want their own domain names, their own cheap hosting solutions, and they don't care about whether you feel safe reading CNN in a coffee shop over public WiFi.
>
> It might be better for the browser developers (the UA owners) to think in terms of validating the connection to the Website, and not simply in terms of validating the protocol being used to connect to the Website. Man-in-the-Middle attacks still afflict people trying to reach HTTPS Websites, even if you believe it's only because they are clicking past invalid security certificate warnings, unintentionally installing malware, or whatever.
>
> The point is, HTTPS only slows the pace of MITM attacks against the user community. It doesn't stop it.
>
> How do you validate a connection? That will take some thought. Maybe every URL can return a checksum that is compared to a remotely hosted checksum (much like DNS and security certificates). If the browser cannot retrieve a checksum from the requested URL or if the checksums don't match, you give the user some options.
Again, this is what TLS does.
>
> Better detection of proxy attacks from the browser would also help. The average user won't know what is going on but if the browser can detect a compromised connection then why not simply break it? I would not expect 100% certainty but the user can always try again.
>
> If marking HTTPS Websites as "secure" doesn't work (largely because of the widespread ignorance in the general population) then why would you expect the alternative of marking HTTP sites as "UNsecure" to work? The message will be lost on the masses.
>
> There is no easy solution to the problem. Please don't try to force something like this on everyone else. You need to take their needs and concerns into consideration, too. They already have to live with the consequences of not knowing which Web services are best for them. Having to deal with user mistrust because the browser raised an issue about "security" is just one more hassle that will not make the Web a safer place.
>
> Keep HTTPS where it is until you can solve all the other problems, because promising to make the Web safer for everyone is much easier than actually doing it.
>
>
>
> --
> Michael Martinez
> http://www.michael-martinez.com/
>
> YOU CAN HELP OUR WOUNDED WARRIORS
> http://www.woundedwarriorproject.org/
>
> To unsubscribe from this group and stop receiving emails from it, send an email to securi...@chromium.org.
On 12/19/2014 8:33 PM, Donald Stufft wrote:Then I suggest you go back and reread the other posts from people who
> So how is marking some Websites as "non-secure" (they all are) improving the situation? Shaming Website owners for not using encrypted connections, especially when your only concern is that you don't want some random stranger to see that you are reading a blog, is not acceptable.
> I think you’re fundamentally confused, I do not believe that anyone who is making this proposal is trying to force site operators to use HTTPS.
have said exactly that.
It is precisely this kind of inattention to what is actually being said
that keeps resetting this conversation.
I am very ill right now and I don't have the energy for further
discussion. I hope that the people who need to consider these things
see past the needless nit-pickery and think about the big picture. You
won't be able to undo the damage this proposal will do, if it is carried
out, even if that turns out to be less than some of us fear.
On Fri, Dec 19, 2014 at 7:32 PM, Michael Martinez <michael...@xenite.org> wrote:On 12/19/2014 8:33 PM, Donald Stufft wrote:
So how is marking some Websites as "non-secure" (they all are) improving the situation? Shaming Website owners for not using encrypted connections, especially when your only concern is that you don't want some random stranger to see that you are reading a blog, is not acceptable.
I think you’re fundamentally confused, I do not believe that anyone who is making this proposal is trying to force site operators to use HTTPS.
Then I suggest you go back and reread the other posts from people who have said exactly that.
It is precisely this kind of inattention to what is actually being said that keeps resetting this conversation.
I am very ill right now and I don't have the energy for further discussion. I hope that the people who need to consider these things see past the needless nit-pickery and think about the big picture. You won't be able to undo the damage this proposal will do, if it is carried out, even if that turns out to be less than some of us fear.
It is not needlessly nitpicky. You've made several claims that range from demonstrably inaccurate to factually incorrect. When pressed for details, either you shift the topic to something unrelated or you claim it's not your responsibility to provide those details. When presented with evidence counter to your claim, you ignore it.
You'd be surprised by the number of people making a good faith effort to give you both the benefit of the doubt and to patiently explain to you why you're either misunderstanding the issues at play or downright wrong.
You've confused ARP poisoning with certificate compromise. You've proposed TLS in everything but name, yet argued against TLS. You've conflated "want the world to move to HTTPS" with "force the world to move to HTTPS", when multiple people - the original poster, people from the same organization, and people from different browsers - all pointing out that the two are not the same.
Quothe the original proposal ( https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/qTm0E376lswJ )
"We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure."
"HTTPS is the bare minimum requirement for secure web application *transport*. Is secure transport by itself sufficient to achieve total *application-semantic* security? No. But a browser couldn't determine that level of security anyway. Our goal is for the browser to tell as much of the truth as it can programatically determine at run-time."
"(a) Users are currently habituated to treat non-secure transport asOK. The status quo is terrible.
(b) What Peter Kasting said: we propose a passive indicator, not a
pop-up or interstitial. "
"Again, it's a passive indicator;"
More importantly, you've continued to make claims without supporting evidence. This has been explained by https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/zWkvtQ7HpB4J and https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/FlyAPvETiwMJ and https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/n3DGBTbdyiMJ and https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/sHWde0wF7akJ
While all feedback is appreciated to some level, you seem to be frustrated by the lack of attention being posed to your points. You've gone as far as to insult the intelligence of those replying in https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/sfs-2A1P7rUJ . However, I'd like to again point out (as several have already patiently done so) that you've effectively ignored every single question posed to you, instead turned out to be rather dismissive and rude.
I think we're very aware of the big picture here, and have tried patiently to explain it and to allay your misplaced fears that seem to be based on honest and genuine misunderstanding. However, in the absence of reasonable and rationale discourse, and the absence of new information, perhaps it's best to have had your say for now. In the big picture, continuing to use unauthenticated, non-confidential transports that anyone can modify while presenting them as acceptable and secure is downright dishonest - something the original post explained with a number of examples - https://groups.google.com/a/chromium.org/d/msg/security-dev/DHQLv76QaEM/qTm0E376lswJ .
In current implementations, there's no signaling by the browser to say "this site isn't encrypted." There's the *absence* of signaling about security, but that's not the same thing as positively saying that a site was delivered over an insecure channel.
This is why some websites get away with changing their Favicon to a lock, or even showing a lock image on the page ("see our site is secure")... It's much easier than buying a certificate :-P
It would be better if there was something in the browser... e.g. a red unlocked padlock, with a cross over it, where a HTTPS site either shows a gold/green locked icon, or nothing at all (as the browser doesn't know if the website has other security problems)... then there would be a consistent/better indicator of the connection state.
Craig
Are there plans to update this proposal with UI ideas that individual browsers come up with if the proposal is accepted? I don't think this is something that should be discussed too much (because bikeshedding), but I'd love to get to see it before it goes out ;)
On Sat, Dec 20, 2014 at 12:37 AM, 'Tyler Larson' via blink-dev <blin...@chromium.org> wrote:
On Fri, Dec 19, 2014 at 1:34 PM, Monica Chew <m...@mozilla.com> wrote:Why not shift the onus from the user to the site operators? I would love to see a "wall of shame" for the Alexa top 1M sites that don't support HTTPS,Just to follow up on this, from section 5.4 of http://randomwalker.info/publications/cookie-surveillance-v2.pdf, 87% of the sites from Alexa top 500 serve HTTP by default, and 66% of them don't serve HTTPS at all, as measured by using HTTPS-Everywhere.
Thanks,
MonicaShaming operators of unencrypted sites completely muddies the message and makes it looks like this effort is about coercing site operators into using HTTPS rather than being about directly improving user experience.This isn't about shaming unencrypted sites or coercing everyone to adopt TLS; it's about delivering to the user the information he expects. If site owners respond by adding encryption, that's not a bad result. But we can't make this about forcing sites to change their security posture. Sites are still free to deliver content insecurely; that's not changing. All that's changing is that browsers will no longer overlook the very real threat of tampering and abuse of that connection.
Up until now I thought it is (at least in part) about purposeful shaming into adopting TLS. Thanks for the clarification.
Regarding user experience, I have an issue with statements "Website is secure/insecure encrypted/unencrypted". These things have been said in this discussion many times by some people. I hope that the browser UIs will not resort to such inaccurate simplifications. It is only the _connection_ that is secured/encrypted. The only thing browser can do about the website is to authenticate it.
It seems to me that the word "secure" became somewhat fuzzy in meaning. It would be great if the browsers could hint to users who dig into it (click the indicator icon, say) what secure connection really means in this context: encrypted communication + authenticated communication partner, or absence of these things. The /chromium-security/education/tls page looks useful.
Other option would be to focus on the "threat model" point of view and let the user know that the "connection is protected from being tampered with". I admit that is a mouthful, though.
On Sat, Dec 20, 2014 at 2:53 AM, Jiri Danek <software...@gmail.com> wrote:Are there plans to update this proposal with UI ideas that individual browsers come up with if the proposal is accepted? I don't think this is something that should be discussed too much (because bikeshedding), but I'd love to get to see it before it goes out ;)On Sat, Dec 20, 2014 at 12:37 AM, 'Tyler Larson' via blink-dev <blin...@chromium.org> wrote:On Fri, Dec 19, 2014 at 1:34 PM, Monica Chew <m...@mozilla.com> wrote:Why not shift the onus from the user to the site operators? I would love to see a "wall of shame" for the Alexa top 1M sites that don't support HTTPS,Just to follow up on this, from section 5.4 of http://randomwalker.info/publications/cookie-surveillance-v2.pdf, 87% of the sites from Alexa top 500 serve HTTP by default, and 66% of them don't serve HTTPS at all, as measured by using HTTPS-Everywhere.
Thanks,
MonicaShaming operators of unencrypted sites completely muddies the message and makes it looks like this effort is about coercing site operators into using HTTPS rather than being about directly improving user experience.This isn't about shaming unencrypted sites or coercing everyone to adopt TLS; it's about delivering to the user the information he expects. If site owners respond by adding encryption, that's not a bad result. But we can't make this about forcing sites to change their security posture. Sites are still free to deliver content insecurely; that's not changing. All that's changing is that browsers will no longer overlook the very real threat of tampering and abuse of that connection.Up until now I thought it is (at least in part) about purposeful shaming into adopting TLS. Thanks for the clarification.
That is explicitly a non-goal. Given a threshold-based approach, we need to use /other/ techniques to website owners into adopting TLS before we can start changing the UI treatment.
Regarding user experience, I have an issue with statements "Website is secure/insecure encrypted/unencrypted". These things have been said in this discussion many times by some people. I hope that the browser UIs will not resort to such inaccurate simplifications. It is only the _connection_ that is secured/encrypted. The only thing browser can do about the website is to authenticate it.It seems to me that the word "secure" became somewhat fuzzy in meaning. It would be great if the browsers could hint to users who dig into it (click the indicator icon, say) what secure connection really means in this context: encrypted communication + authenticated communication partner, or absence of these things. The /chromium-security/education/tls page looks useful.Other option would be to focus on the "threat model" point of view and let the user know that the "connection is protected from being tampered with". I admit that is a mouthful, though.
FWIW the string used on Chrome on Android in the OriginInfoBubble is "Your connection to this site is private"; that string will be coming to desktop too. With that being said, it's generally necessary to oversimplify because no one wants to read a long explanation in the browser (that is what help pages are for).
On Dec 18, 2014 10:12 PM, "Monica Chew" <m...@mozilla.com> wrote:> Security warnings are often overused and therefore ignored [1]; it's even
> worse to provide a warning for something that's not actionable. I think
> we'd have to see very low plaintext rates (< 1%) in order not to habituate
> users into ignoring a plaintext warning indicator.
If the indicator is initially unobtrusive (e.g. in Firefox changing the light gray globe to a darker gray eye) and the doorhanger just states the truth about the lack of confidentiality, integrity and authenticity, positive effects can be had even if the bulk of users ignore it. As long as it makes site operators are uneasy with users maybe realizing the truth about http being insecure as opposed to neutral, this may well lead to side operators choosing to switch to https. That is, this initiative can be a success even if most users ignore it, because most users don't need to be the audience for them to benefit. The audience needs to be site operators and a subset of users that the site operators don't want to alienate.
In part, this is about one group trying to fix one problem with one
protocol. Of course it highlights the problems in other places. But
does that mean we shouldn't do the small fixes needed in one area?
the whole issue of traffic analysis is huge, difficult, and probably
best left out of scope.
stopped marketing that certs made sites secure. You won't find CAs
advertising that the cert is needed for security. That's because
annoying people like us made the point that they might have to
substantiate that claim in court. And they knew they couldn't do it
before a jury of (our) peers.
But it is still the case that people use the word "security" with
websites and certs too loosely. We can't really avoid that. But that
bad language should not be the reason not to do things.
1. To stop passive eavesdropping by eg/ie NSA.
2. To stop datamining by ISPs, broadly, etc, and also to stop ISPs
changing content.
3. To provide fuller authentication of websites, cf phishing.
4. To sell more certificates.
Let me talk about 3. Phishing started up in 2003, and since then has
been used as the wedge to open up and finance the entire cyber fraud
industrial sector. Perhaps worse, it is the lead tool in cyberwar where
"spear phishing" is used to spike open an employee's laptop and then get
into a company.
Now, why does phishing work? Simple. The browser cannot tell the user
the difference between a secure connection and an insecure connection.
Pretty darn simple, isn't it? It's all because of the *existence* of
HTTP. Which is "nothing". Therefore no security statement and not
noticed by the user...
In security terms this is a complete, utter security 101 fail. We all
know this.
So how do we get out of the trap? Long hard analysis always leads to
the same end-point: we should deprecate HTTP and go HTTPS for everything.
Google's proposal is a midway point. Now, right at the moment, there is
a building swell of support to head in that direction. Sure it is
messy. But the alternate is "no security" in effect, or security facade
or security theatre, or false sense of security. Whatever term you like.
this is not part of the current proposal, and we're probably talking
about 10 years hence minimum before there are moves to drop HTTP.
Also, talk about name & shame is rather aggressive and fearmongering.
It will probably happen, but it is unlikely to be effective, it never
has been in the past.
security information, especially the "absence of SSL".
they are laggards.
that. It will probably follow, but it isn't going to be that important.
As it happens, we've been trying these things since 2005 when SSL v2
was first discovered to be a barrier to security. And the results were
not scary.
Or you may be referring to the above comment about "honest and ethical
informing" which is actually true. The sad part is that before this
moment, browser vendors have been dishonest and unethical. Now, there
is change in the air. If one browser starts putting better info up,
then others should follow suit.
suggesting they are going ahead with changes that were first identified
decades ago. This is not an underhanded propaganda effort at all, it's
a wakening of some security spirit. But you are right that they are not
explaining this to the general public. That's likely impossible.
marketeer's confusion.
anything that isn't needed because of SEC rules. Same as any company.
Secondly, they aren't talking to you, they're talking to other vendors.
Thirdly this will mostly improve the position of users, not make it
worse for them. Fourthly, as you can see from the convoluted
discussions on this thread, literally nobody agrees with anything anyone
says; security effect of SSL is so layered in settled detritus that
it's a historical artifact not a system.
That said, if you're keen on battling towards better understanding, then
it will take a while. It took me about 5 years to unravel the industry;
don't expect it to take 5 days.
iang
protocol. Of course it highlights the problems in other places. But
does that mean we shouldn't do the small fixes needed in one area?
Yes, they can see the packets, but this is far less damaging. Really,
> People who use their work networks to browse the Web have to accept that
> their employers have a legal right to monitor their activity; if they
> are in a public wifi spot and they connect to the wrong router, they are
> hosed. Even in a secure connection the employers and bad guys can still
> see where the packets are going if they control access point.
the whole issue of traffic analysis is huge, difficult, and probably
best left out of scope.
OK, here, there is a sort of point. Back in the early 2000s, CAs
> I don't care how much TLS is improved from this point on (because in the
> end I have to trust my credit card data with the idiot storing that data
> in an unencrypted database that isn't properly firewalled).
stopped marketing that certs made sites secure. You won't find CAs
advertising that the cert is needed for security. That's because
annoying people like us made the point that they might have to
substantiate that claim in court. And they knew they couldn't do it
before a jury of (our) peers.
But it is still the case that people use the word "security" with
websites and certs too loosely. We can't really avoid that. But that
bad language should not be the reason not to do things.
As I posted earlier, there are several motives:
> I do care
> about whether the security community joins Google's campaign to convert
> the Web to using a protocol that is totally inappropriate in situations
> where no secure data exchange is required. Sure, I get that a Website
> login can be sniffed in a public wifi spot; that is why hackers use
> methods to bypass TLS protections.
>
> I ask that if you want to respond to me, then respond to my questions.
> Please don't bring up TLS and Chrome again. That isn't what this is about.
>
> Website owners will want to know why users should not trust their sites
> when they don't ask for or require credit card information. This
> proposal is part of Google's long-term campaign to change the entire
> Web. They have yet to explain why the Web needs to get off of HTTP. The
> fact a small percentage of people don't want anyone to know what sites
> they browse isn't good enough.
1. To stop passive eavesdropping by eg/ie NSA.
2. To stop datamining by ISPs, broadly, etc, and also to stop ISPs
changing content.
3. To provide fuller authentication of websites, cf phishing.
4. To sell more certificates.
Let me talk about 3. Phishing started up in 2003, and since then has
been used as the wedge to open up and finance the entire cyber fraud
industrial sector. Perhaps worse, it is the lead tool in cyberwar where
"spear phishing" is used to spike open an employee's laptop and then get
into a company.
Now, why does phishing work? Simple. The browser cannot tell the user
the difference between a secure connection and an insecure connection.
Pretty darn simple, isn't it? It's all because of the *existence* of
HTTP. Which is "nothing". Therefore no security statement and not
noticed by the user...
In security terms this is a complete, utter security 101 fail. We all
know this.
So how do we get out of the trap? Long hard analysis always leads to
the same end-point: we should deprecate HTTP and go HTTPS for everything.
Google's proposal is a midway point. Now, right at the moment, there is
a building swell of support to head in that direction. Sure it is
messy. But the alternate is "no security" in effect, or security facade
or security theatre, or false sense of security. Whatever term you like.
Well, I wouldn't hide it as it is possible in the future. But of course
>> Indicating that the connection isn’t secure isn’t forcing everyone to
>> use HTTPS. Disabling HTTP access altogether would do that, but nobody
>> is suggesting that.
this is not part of the current proposal, and we're probably talking
about 10 years hence minimum before there are moves to drop HTTP.
Also, talk about name & shame is rather aggressive and fearmongering.
It will probably happen, but it is unlikely to be effective, it never
has been in the past.
Correct -- the current proposal is about providing more of the complete
>> All this proposal really does is have the user
>> agents be honest and ethically inform their users of the properties of
>> their current connection.
security information, especially the "absence of SSL".
This is an over-reaction. Most website users will not see this unless
> It's an act of intimidation. You may not see it that way but many of
> the Website owners who have to deal with the implications of lost user
> trust DO. And how the victims of intimidation feel is very important in
> a discussion of the tools being used.
they are laggards.
I think you may be confusing calls for name & shame. Google isn't doing
> There is nothing ethical in Google's proposal.
that. It will probably follow, but it isn't going to be that important.
As it happens, we've been trying these things since 2005 when SSL v2
was first discovered to be a barrier to security. And the results were
not scary.
Or you may be referring to the above comment about "honest and ethical
informing" which is actually true. The sad part is that before this
moment, browser vendors have been dishonest and unethical. Now, there
is change in the air. If one browser starts putting better info up,
then others should follow suit.
Well -- it's complicated. They are talking to the other vendors and
> It is a dirty,
> underhanded propaganda tactic that sidesteps a fair and open public
> discussion with the people who will be most affected. They are enticing
> the security community into supporting a sweeping change without fully
> explaining WHY they want it or why it should even be expected to provide
> any benefit.
suggesting they are going ahead with changes that were first identified
decades ago. This is not an underhanded propaganda effort at all, it's
a wakening of some security spirit. But you are right that they are not
explaining this to the general public. That's likely impossible.
Yes, all part of the same campaign. Good.
> Earlier this year Google disclosed that it was giving a slight boost in
> its search results to Websites that use HTTPS. Many marketers
> immediately began discussing the implications of this algorithmic change
> but they don't know how to do the math.
Yeah, whatever. I'm not seeing the problem. I care little for
> If the same boost is applied to every site then the signal washes out in
> the mix. But it is a carrot that Google has dangled in front of the
> donkeys.
marketeer's confusion.
Yawn.
> They love to dangle carrots. See those carrots for what they are.
Well, frankly, google aren't going do that. Firstly, they do not say
> DEMAND A FULL EXPLANATION FROM GOOGLE for why this proposal should be
> adopted.
anything that isn't needed because of SEC rules. Same as any company.
Secondly, they aren't talking to you, they're talking to other vendors.
Thirdly this will mostly improve the position of users, not make it
worse for them. Fourthly, as you can see from the convoluted
discussions on this thread, literally nobody agrees with anything anyone
says; security effect of SSL is so layered in settled detritus that
it's a historical artifact not a system.
That said, if you're keen on battling towards better understanding, then
it will take a while. It took me about 5 years to unravel the industry;
don't expect it to take 5 days.
iang
On 17/12/14 18:44, cha...@yandex-team.ru wrote:
> This is a pretty interesting use case. When you connect at the
> airport, the typical first thing that happens is you get a warning
> saying that the site you want to connect to has the wrong certificate
> (you went to pogoda.yandex.ru but the certtificate is for
> airport.logins.aero, or 1.1.1.1).
If the URL and the target are in different public-suffix+1, that screen
should have a button "I'm trying to connect to a Wifi hotspot" :-) That
then changes to an appropriate URL to get the login page.
Gerv
> This is a pretty interesting use case. When you connect at the
> airport, the typical first thing that happens is you get a warning
> saying that the site you want to connect to has the wrong certificate
> (you went to pogoda.yandex.ru but the certtificate is for
> airport.logins.aero, or 1.1.1.1).
If the URL and the target are in different public-suffix+1, that screen
should have a button "I'm trying to connect to a Wifi hotspot" :-) That
then changes to an appropriate URL to get the login page.
Gerv
[The trouble with having this conversation across many mailing lists is
that when it gets specific, but you want to include people, you don't
know which lists to drop...]
On 18/12/14 22:10, Daniel Kahn Gillmor wrote:
> Four proposed fine-tunings:
>
> A) i don't think we should remove "This website does not supply
> identity information" -- but maybe replace it with "The identity of this
> site is unconfirmed" or "The true identity of this site is unknown"
I prefer a more positive statement to a negative one, certainly.
> -------
> The true identity of this site is unknown.
>
> This web page was transferred over a non-secure connection, which means
> that the page and any information you sent to it could have been read or
> modified by others while in transit.
That's past tense; don't we want to include the future too?
The true identity of this site cannot be confirmed.
Your connection to this site is non-secure. Therefore, any information
you send or receive can be read or modified by others while in transit.
Gerv
that when it gets specific, but you want to include people, you don't
know which lists to drop...]
On 18/12/14 22:10, Daniel Kahn Gillmor wrote:
> Four proposed fine-tunings:
>
> A) i don't think we should remove "This website does not supply
> identity information" -- but maybe replace it with "The identity of this
> site is unconfirmed" or "The true identity of this site is unknown"
I prefer a more positive statement to a negative one, certainly.
> -------
> The true identity of this site is unknown.
>
> This web page was transferred over a non-secure connection, which means
> that the page and any information you sent to it could have been read or
> modified by others while in transit.
That's past tense; don't we want to include the future too?
The true identity of this site cannot be confirmed.
Your connection to this site is non-secure. Therefore, any information
you send or receive can be read or modified by others while in transit.
Gerv
On Wed, Dec 17, 2014 at 6:50 PM, Sigbjørn Vik <sigb...@opera.com> wrote:
>> What would happen exactly when
>> you visit e.g. google.com from the airport (connected to something
>> with a shitty captive portal)?
>
> Assuming interstitials were replaced with cache separation:
>
> The browser would detect that this isn't the same secure google you
> talked to yesterday, and not share any data you got from google
> yesterday with the captive portal. Once you reconnect to the authentic
> google, the browser would use the first set of data again.
How would the user distinguish this case from cookies expiring,
getting lost for some reason, or the monthly two-factor authentication
dance? This sounds very dangerous.
What if google.com uses certificate pinning?
--
https://annevankesteren.nl/
>> What would happen exactly when
>> you visit e.g. google.com from the airport (connected to something
>> with a shitty captive portal)?
>
> Assuming interstitials were replaced with cache separation:
>
> The browser would detect that this isn't the same secure google you
> talked to yesterday, and not share any data you got from google
> yesterday with the captive portal. Once you reconnect to the authentic
> google, the browser would use the first set of data again.
How would the user distinguish this case from cookies expiring,
getting lost for some reason, or the monthly two-factor authentication
dance? This sounds very dangerous.
What if google.com uses certificate pinning?
--
https://annevankesteren.nl/
On 22-Dec-14 13:05, Anne van Kesteren wrote:A big fat warning against an active attack, possibly similar to existing
> On Wed, Dec 17, 2014 at 6:50 PM, Sigbjørn Vik <sigb...@opera.com> wrote:
>>> What would happen exactly when
>>> you visit e.g. google.com from the airport (connected to something
>>> with a shitty captive portal)?
>>
>> Assuming interstitials were replaced with cache separation:
>>
>> The browser would detect that this isn't the same secure google you
>> talked to yesterday, and not share any data you got from google
>> yesterday with the captive portal. Once you reconnect to the authentic
>> google, the browser would use the first set of data again.
>
> How would the user distinguish this case from cookies expiring,
> getting lost for some reason,
interstitials for insecure certificates. After the warning has been
dismissed, there would still be a "site insecure" warning in the address
bar.
Asking for user input, for a user who doesn't check the address bar is
> or the monthly two-factor authentication
> dance? This sounds very dangerous.
dangerous, regardless of interstitials or not; e.g. https stripping, URL
spoofing or phishing.
However, what you describe is a very different scenario from a regular
self-signed certificate. You describe an active attack, where a
previously good certificate is being replaced by an invalid one. In such
cases, warning the user is still good - after all, the browser has
positive evidence that someone is tampering with the connection.
However, even if warning the user, the browser shouldn't share network
credentials with the impostor afterwards.
My point is that https://www.pcwebshop.co.uk is no less safe than
http://www.pcwebshop.co.uk. Forcing the user to interact with confusing
dialogs every time he goes to the https version makes users ignore such
dialogs (or makes users and webmasters prefer http). Or if a site has
used a certificate for two years, and it has now expired by one day,
that doesn't indicate that someone is out to get you. In these cases,
just load the page without forcing the user to click through dialogs,
but do display that the connection is insecure - the same way http is
insecure. Reserve the big fat warnings for cases where the browser can
actually detect that an attack is going on (as in your example) - and
even in those cases, do protect the user.
Certificate pinning or HSTS are designed to hard-fail on insecure
> What if google.com uses certificate pinning?
connections. Improving that UI is a fight for another day ;)
--
Sigbjørn Vik
Opera Software
On 17/12/2014 07:48 am, tyl...@google.com wrote:
> First of all, some change along these lines is absolutely necessary is it
> closes a huge hole that has been successfully exploited since the Netscape
> days. That is, while browsers indicate positive security for TLS, they make
> no indication at all in the case no security, leaving ample room for
> website content to fill that void. Call this the "Green padlock favicon"
> problem if you like.
>
> Some notable points:
>
> Given these roughly 3 distinct scenarios with respect to connection status:
>
> A: The connection is successfully secured. (HTTPS)
> B: No security was attempted. (HTTP)
> C: Securing the connection has failed. (Certificate validation failure)
>
> A few people have said that B and C are roughly identical from a security
> perspective and could be represented as the same state -- in both cases no
> security is provided. I would disagree here. In the case of the failed
> certificate verification, the client has attempted to secure the connection
> and that attempt has failed. In the case of HTTP, the client made no
> indication of a preference for security. While scenario B represents the
> *absence* of security, scenario C represents the *failure* of security, and
> is therefore more troublesome.
Scenario C may be "more troublesome" but not more informative. The
problem is that the software agent is not able to derive any or enough
useful information to inform *a claim of usefulness to the user*. There
are too many innocuous causes and too many false reasons floating
around. And every mistake tells the user that the browser is wrong,
thus training the user for the day the phisher comes along ;)
Hence the occam's razor approach of declaring HTTP to be "insecure" aka
the absence of security, and the failure to secure is "roughly
identical" in terms of quality of information available. Breach this
and you're in danger of training your user to be phished, which is the
perverse reverse of the intent.
> While we want to raise the awareness of
> scenario B, we shouldn't promote it to the severity of scenario C. Doing so
> conflates two very different cases and failure modes; while both represent
> the absence of verifiable transport security, the latter indicates that the
> user's expressed expectation of security has not been met, while the former
> simply reflects the absence of any expectation of security.
Well, again, trouble. You're making a presumption that the user
expressed an expectation of security. In theory you might be able to
divine that from HTTPS but if the user just copied a URL what does that
tell you? Nothing about expectations of that user, because she never
looked at the URL.
Or, if the server simply redirects to HTTPS, what is the expectation
here? The website user "expected" some security but the web browsing
user doesn't care.
Even if we know that a user selected HTTPS, we don't know if the user is
concerned about case 1 (NSA passive eavesdropping) or case 3 (phishing)
with somewhat different security profiles. In short, even if we know
that the user said "give me security" we do not know what the user meant
by that statement.
...
> Finally, it's worth noting that reports from the field in response to the
> Chrome SHA-1 sunsetting initiative have shown that even the most minor of
> warnings has a measurable impact on site operators. I've received many
> reports from operators large and small indicating visible losses of revenue
Which brings up another definition of security: reliability of website
operator's revenue stream. For geeks doing security coding this might
be a strange definition of security, but it is what the user cares about.
It may be the case that some users' security might go down in the short
term in order to provide a higher security over all to more users over
time. Unavoidable, because the former's security (easy web leads to
easy revenue) comes at the latter's expense (easy web leads to higher
risks of attack).
> due to the nearly-hidden warning Chrome currently displays for a SHA-1 cert
> with a long expiration. This suggests that the UX changes surrounding
> security needn't initially be intrusive to have a strong impact on site
> operations. An unobtrusive but centrally-located notice to the effect of
> "your connection has not been secured" is indisputably accurate,
<cough> is better than its absence :)
> conveys no
> bias or agenda, and yet can be expected to produce a sea-change of behavior
> for site operators.
>
> It's like bike locks: they're functional and highly visible, but also
> optional. Still, if one day someone started putting up signs saying "this
> bike has no lock", even though it's telling you nothing you couldn't
> already see, behavior would immediately change.
Good analogy. Certainly, we have to start advertising the absence of
bike locks. Users don't notice but attackers surely do.
iang
> First of all, some change along these lines is absolutely necessary is it
> closes a huge hole that has been successfully exploited since the Netscape
> days. That is, while browsers indicate positive security for TLS, they make
> no indication at all in the case no security, leaving ample room for
> website content to fill that void. Call this the "Green padlock favicon"
> problem if you like.
>
> Some notable points:
>
> Given these roughly 3 distinct scenarios with respect to connection status:
>
> A: The connection is successfully secured. (HTTPS)
> B: No security was attempted. (HTTP)
> C: Securing the connection has failed. (Certificate validation failure)
>
> A few people have said that B and C are roughly identical from a security
> perspective and could be represented as the same state -- in both cases no
> security is provided. I would disagree here. In the case of the failed
> certificate verification, the client has attempted to secure the connection
> and that attempt has failed. In the case of HTTP, the client made no
> indication of a preference for security. While scenario B represents the
> *absence* of security, scenario C represents the *failure* of security, and
> is therefore more troublesome.
Scenario C may be "more troublesome" but not more informative. The
problem is that the software agent is not able to derive any or enough
useful information to inform *a claim of usefulness to the user*. There
are too many innocuous causes and too many false reasons floating
around. And every mistake tells the user that the browser is wrong,
thus training the user for the day the phisher comes along ;)
Hence the occam's razor approach of declaring HTTP to be "insecure" aka
the absence of security, and the failure to secure is "roughly
identical" in terms of quality of information available. Breach this
and you're in danger of training your user to be phished, which is the
perverse reverse of the intent.
> While we want to raise the awareness of
> scenario B, we shouldn't promote it to the severity of scenario C. Doing so
> conflates two very different cases and failure modes; while both represent
> the absence of verifiable transport security, the latter indicates that the
> user's expressed expectation of security has not been met, while the former
> simply reflects the absence of any expectation of security.
Well, again, trouble. You're making a presumption that the user
expressed an expectation of security. In theory you might be able to
divine that from HTTPS but if the user just copied a URL what does that
tell you? Nothing about expectations of that user, because she never
looked at the URL.
Or, if the server simply redirects to HTTPS, what is the expectation
here? The website user "expected" some security but the web browsing
user doesn't care.
Even if we know that a user selected HTTPS, we don't know if the user is
concerned about case 1 (NSA passive eavesdropping) or case 3 (phishing)
with somewhat different security profiles. In short, even if we know
that the user said "give me security" we do not know what the user meant
by that statement.
...
> Finally, it's worth noting that reports from the field in response to the
> Chrome SHA-1 sunsetting initiative have shown that even the most minor of
> warnings has a measurable impact on site operators. I've received many
> reports from operators large and small indicating visible losses of revenue
Which brings up another definition of security: reliability of website
operator's revenue stream. For geeks doing security coding this might
be a strange definition of security, but it is what the user cares about.
It may be the case that some users' security might go down in the short
term in order to provide a higher security over all to more users over
time. Unavoidable, because the former's security (easy web leads to
easy revenue) comes at the latter's expense (easy web leads to higher
risks of attack).
> due to the nearly-hidden warning Chrome currently displays for a SHA-1 cert
> with a long expiration. This suggests that the UX changes surrounding
> security needn't initially be intrusive to have a strong impact on site
> operations. An unobtrusive but centrally-located notice to the effect of
> "your connection has not been secured" is indisputably accurate,
<cough> is better than its absence :)
> conveys no
> bias or agenda, and yet can be expected to produce a sea-change of behavior
> for site operators.
>
> It's like bike locks: they're functional and highly visible, but also
> optional. Still, if one day someone started putting up signs saying "this
> bike has no lock", even though it's telling you nothing you couldn't
> already see, behavior would immediately change.
Good analogy. Certainly, we have to start advertising the absence of
bike locks. Users don't notice but attackers surely do.
iang
On 19/12/2014 00:14 am, Donald Stufft wrote:
>
>> On Dec 18, 2014, at 7:08 PM, Michael Martinez <michael...@xenite.org> wrote:
...
>> A Study of SSL Proxy Attacks on Android and iOS Mobile Applications
>> http://harvey.binghamton.edu/~ychen/CCNC2014_SSL_Attacks.pdf
>>
>> This is only one example.
>
> A skim of this shows that this is about mobile apps not correctly verifying TLS and has nothing to do with whether TLS as a protocol is broken. Probably you should learn how TLS actually works and read the papers you are linking before making extraordinary claims.
Donald, you guys are talking past each other. It's pretty darn obvious
that MM is talking about secure browsing. You are talking about TLS.
MM is approximately right in what he says -- to a user, the "claims"
made by TLS are vague and uncertain, not reliable enough. It matters
not that you might understand how TLS works, or he understands, or he
precisely pinpoints the breach. What matters is whether that
information reaches and leaves the user in a form which is sufficiently
reliable and secure.
MM believes approximately that it doesn't, and that approximate belief
no matter how nuanced is actually a better representation of the user's
beliefs than the PKI industry talk that assumes that if TLS is working
then browsing is secure. Studying more TLS won't change that because
it's already missed the mark; and continuing to pound the desk about
"TLS securing the connection" is irrelevant because that is not secure
browsing, and users can't tell the difference.
...
>> HTTP doesn't need to be secure. Explain to me why I should have to have connect to an HTTPS server just to read the news or a blog? If I am not passing any information to the Website, why does it have to be hosted on HTTPS? That is not trivial for the average Webmaster.
Michael: The problem can be stated simply. Secure browsing doesn't
work well enough if there is both HTTPS and HTTP. When you are doing
any form of secure browsing using standard browsers, there is always a
way to simulate a "secure connection" with HTTP.
The only way to get rid of this is to move all of HTTP to HTTPS.
Makes sense? It isn't that we care about securing your blog reading,
it's because in order to secure your online banking, we need to make the
overall security framework simpler so that more "simulations" can be
stopped.
Google's proposal is a half way step: start by making HTTP clearer in
the context.
>> I'm not just concerned about HTTPS attacks. I'm also concerned about wasted effort being spent on unnecessary security because of Google's fear-mongering. I get why they are doing this. They were hurt in the public image by the Edward Snowden scandal. But they sure don't mind telling everyone they have no reasonable expectation of privacy when their services are involved.
Yeah, tricky. It is of course the case that google's privacy
pronouncements and breaches in other places are unable to be separated
in the user mind for the next place.
However, public relations disasters are probably out of scope here ;)
>> BTW -- as you do your due diligence in these matters, look also for information on how YouTube videos can be used to compromise users' computers. Gosh, that's an HTTPS Website, isn't it? I feel safer already.
>>
>> Complexity that serves no useful purpose represents no improvement on the status quo. Google and those who stand with it on these "privacy" issues need to make a much better case for coercing millions of Websites into using HTTPS.
You are approximately right in what you say. The devil in the details
is however rather nasty. The problem is that in order to get the
browsing onto a secure foundation, we have to a lot of small baby steps.
One small step is that the browsers should start giving more accurate
"absence of TLS" information.
(As some other posters have pointed out, what browsers do say now is
often as wrong and often deceptive. But small baby steps....)
>> Browser developers do not need to participate in this public shaming game.
No, they don't and won't. Someone else will do that. Unfortunately it
is necessary to shift some laggards, uncomfortable as it is.
It may be that name and shame is really bad. It is important to realise
however that google and the other browsers won't be doing that and
aren't responsible for the angst here.
And, not putting out proper information is the wrong way to deal with
the presence of name & shame.
>> I will leave off on this discussion at this point as it is clear to me I am better informed about what is happening than some, and I really am not going to be drawn into to sharing link after link in order to play a stalling game.
>>
>> Some of you guys have already made up your minds on this without doing proper research. But you clearly haven't stopped to think about what a burden you will create for millions of Website owners who have no idea of how to support this insane initiative. And that will just make them more dependent on self-serving solution providers like Google.
The problem is that developers tend to conflate the security statement
of TLS with the security of web browsing. That's a known flaw, but
wasn't really recognised by browser vendors until the last 5 years or so
as attacks made it clear something was broken. The old habits die hard.
>> Don't do this. Please do NOT screw up the web with this nonsense.
Ask yourself this: do you ever want secure browsing to be secure?
iang
>
>> On Dec 18, 2014, at 7:08 PM, Michael Martinez <michael...@xenite.org> wrote:
...
>> A Study of SSL Proxy Attacks on Android and iOS Mobile Applications
>> http://harvey.binghamton.edu/~ychen/CCNC2014_SSL_Attacks.pdf
>>
>> This is only one example.
>
> A skim of this shows that this is about mobile apps not correctly verifying TLS and has nothing to do with whether TLS as a protocol is broken. Probably you should learn how TLS actually works and read the papers you are linking before making extraordinary claims.
Donald, you guys are talking past each other. It's pretty darn obvious
that MM is talking about secure browsing. You are talking about TLS.
MM is approximately right in what he says -- to a user, the "claims"
made by TLS are vague and uncertain, not reliable enough. It matters
not that you might understand how TLS works, or he understands, or he
precisely pinpoints the breach. What matters is whether that
information reaches and leaves the user in a form which is sufficiently
reliable and secure.
MM believes approximately that it doesn't, and that approximate belief
no matter how nuanced is actually a better representation of the user's
beliefs than the PKI industry talk that assumes that if TLS is working
then browsing is secure. Studying more TLS won't change that because
it's already missed the mark; and continuing to pound the desk about
"TLS securing the connection" is irrelevant because that is not secure
browsing, and users can't tell the difference.
...
>> HTTP doesn't need to be secure. Explain to me why I should have to have connect to an HTTPS server just to read the news or a blog? If I am not passing any information to the Website, why does it have to be hosted on HTTPS? That is not trivial for the average Webmaster.
Michael: The problem can be stated simply. Secure browsing doesn't
work well enough if there is both HTTPS and HTTP. When you are doing
any form of secure browsing using standard browsers, there is always a
way to simulate a "secure connection" with HTTP.
The only way to get rid of this is to move all of HTTP to HTTPS.
Makes sense? It isn't that we care about securing your blog reading,
it's because in order to secure your online banking, we need to make the
overall security framework simpler so that more "simulations" can be
stopped.
Google's proposal is a half way step: start by making HTTP clearer in
the context.
>> I'm not just concerned about HTTPS attacks. I'm also concerned about wasted effort being spent on unnecessary security because of Google's fear-mongering. I get why they are doing this. They were hurt in the public image by the Edward Snowden scandal. But they sure don't mind telling everyone they have no reasonable expectation of privacy when their services are involved.
Yeah, tricky. It is of course the case that google's privacy
pronouncements and breaches in other places are unable to be separated
in the user mind for the next place.
However, public relations disasters are probably out of scope here ;)
>> BTW -- as you do your due diligence in these matters, look also for information on how YouTube videos can be used to compromise users' computers. Gosh, that's an HTTPS Website, isn't it? I feel safer already.
>>
>> Complexity that serves no useful purpose represents no improvement on the status quo. Google and those who stand with it on these "privacy" issues need to make a much better case for coercing millions of Websites into using HTTPS.
You are approximately right in what you say. The devil in the details
is however rather nasty. The problem is that in order to get the
browsing onto a secure foundation, we have to a lot of small baby steps.
One small step is that the browsers should start giving more accurate
"absence of TLS" information.
(As some other posters have pointed out, what browsers do say now is
often as wrong and often deceptive. But small baby steps....)
>> Browser developers do not need to participate in this public shaming game.
No, they don't and won't. Someone else will do that. Unfortunately it
is necessary to shift some laggards, uncomfortable as it is.
It may be that name and shame is really bad. It is important to realise
however that google and the other browsers won't be doing that and
aren't responsible for the angst here.
And, not putting out proper information is the wrong way to deal with
the presence of name & shame.
>> I will leave off on this discussion at this point as it is clear to me I am better informed about what is happening than some, and I really am not going to be drawn into to sharing link after link in order to play a stalling game.
>>
>> Some of you guys have already made up your minds on this without doing proper research. But you clearly haven't stopped to think about what a burden you will create for millions of Website owners who have no idea of how to support this insane initiative. And that will just make them more dependent on self-serving solution providers like Google.
The problem is that developers tend to conflate the security statement
of TLS with the security of web browsing. That's a known flaw, but
wasn't really recognised by browser vendors until the last 5 years or so
as attacks made it clear something was broken. The old habits die hard.
>> Don't do this. Please do NOT screw up the web with this nonsense.
Ask yourself this: do you ever want secure browsing to be secure?
iang
I don’t really care what you call it, the simple fact is the actual *attacks* that are being described do not apply to the browsers and they rely on the client not implementing TLS validation.
> On Dec 22, 2014, at 9:12 AM, ianG <ia...@iang.org> wrote:
>
> On 19/12/2014 00:14 am, Donald Stufft wrote:
>>
>>> On Dec 18, 2014, at 7:08 PM, Michael Martinez <michael...@xenite.org> wrote:
> ...
>>> A Study of SSL Proxy Attacks on Android and iOS Mobile Applications
>>> http://harvey.binghamton.edu/~ychen/CCNC2014_SSL_Attacks.pdf
>>>
>>> This is only one example.
>>
>> A skim of this shows that this is about mobile apps not correctly verifying TLS and has nothing to do with whether TLS as a protocol is broken. Probably you should learn how TLS actually works and read the papers you are linking before making extraordinary claims.
>
>
> Donald, you guys are talking past each other. It's pretty darn obvious that MM is talking about secure browsing. You are talking about TLS.
>
> MM is approximately right in what he says -- to a user, the "claims" made by TLS are vague and uncertain, not reliable enough. It matters not that you might understand how TLS works, or he understands, or he precisely pinpoints the breach. What matters is whether that information reaches and leaves the user in a form which is sufficiently reliable and secure.
>
> MM believes approximately that it doesn't, and that approximate belief no matter how nuanced is actually a better representation of the user's beliefs than the PKI industry talk that assumes that if TLS is working then browsing is secure. Studying more TLS won't change that because it's already missed the mark; and continuing to pound the desk about "TLS securing the connection" is irrelevant because that is not secure browsing, and users can't tell the difference.
My interest in this is I study and design HTTP servers and content management systems professionally, including HTTPS website deployment for a Certificate Authority.
I would first like to note that there is a very high cost to implementing HTTPS. For individuals, they have to verify ownership of a domain name and/or business entity, install a TLS certificate, and then figure out why their embeds and scripts stopped working. For enterprise, we have to figure out how to mint and revoke large numbers of certificates, and store large numbers of private keys securely (a database with ten thousand private TLS keys is a very precious target indeed!).
If someone uses HTTPS, they do so because they anticipate they need the security. Especially considering someone took on a not-insignificant cost to ensure that their users would have that security. The request for security means something!
HTTP could mean, simply, "I don't care about security". A TLS failure means "Security is _required_ by the other party, but couldn't be set up and verified. Abort! Abort!"
Purporting that plaintext and HTTPS failure is the same would be conditioning users to be less worried about HTTPS failures, where there's a known _requirement_ for confidentiality.
There may be some value in saying "as with many network requests, request/submission is being sent in the clear. Anyone on your network will be able to read this!". But big scary warnings are most certainly bad. No matter what, before I claim anything for sure, I would like to see a double-blind study, and not change for the sake of change.
There are alternatives. Security should be a boolean: you either have it or you don't, BUT different people have different criteria for what meets the standard of "secure".
If I'm connecting to my bank, or conducting business, I want an EV certificate signed by a mutually trusted third party verifying legal corporate ownership of the domain name (after all, I might have mistyped it!).
If I'm embedding a cat video on my website, the end-user doesn't care who the owner is, a chain of trust is satisfactory: If the end-user can trust me with their passwords, they can trust me to say "that cat picture I'm embedding from that other site is OK, here's how you can verify their authenticity."
Traditionally, this is done with TLS which has to meet the same standards as a user-facing website, that the website is signed by a mutually trusted third party Certificate Authority. This need not be the only way.
This could also be done with embedding TLS certificates in the user-facing website, embedding TLS certificates in DNS records as DANE specifies, or embedding integrity hashes, as Subresource Integrity does.
Support for these methods, in Web browsers and in future generations of Webservers and content management applications, would reduce the cost of security, and make it more accessible.
Saying all these alternatives are the same to everyone will HURT security by making it more costly to deploy (i.e. the value of the next best (insecure) alternative goes up, in economist terms).
So, let's not treat different "levels" (methods) of security as the same (plaintext, TLS failure, TLS revoked certificate, SRI, DANE, TLS self-signed, TLS CA signed, EV, ...). They're all (boolean) secure or insecure depending on context, and much of this context is known and usable by the user agent. (Some isn't: loading cat pictures might be secure enough for most people to not warrant any failure, even over plaintext; but performing any write actions (like logging in, posting a comment) on said website would be a failure. Currently, unfortunately, there is no technology/vocabulary that would let us distinguish between these two cases. In other cases, what constitutes "secure" is negotiated: I might not want to reveal to my employer I'm browsing cat pictures, ever; but I am fine with my coffee shop knowing this, especially if it means more ads for funny cats.)
Instead, let's deploy more options for securing content. DANE is designed for this. If there's a problem with DANE the spec, then let's fix that; but there's NO good reason to require that all requests in all cases must be CA-verified. If I want a secure connection with "me.example" -- just the server -- why wouldn't a TLSA record be acceptable, but a signature from any one of a few hundred CAs would be?
Finally, let's remember this problem exists for other protocols too (CoAP, email, DNS, NTP). A solution, if it indeed is a solution, will be deployable to these protocols. (I particularly think security of NTP is underrated, considering it plays a huge role in security now: It sets system dates used in PKI, and even finances with peer-to-peer block chains like Bitcoin.)
Austin Wright.
On Fri, Dec 12, 2014 at 5:46 PM, Chris Palmer <pal...@google.com> wrote:
Hi everyone,Apologies to those of you who are about to get this more than once, due to the cross-posting. I'd like to get feedback from a wide variety of people: UA developers, web developers, and users. The canonical location for this proposal is: https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure.Proposal
We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015.
The goal of this proposal is to more clearly display to users that HTTP provides no data security.
Request
We’d like to hear everyone’s thoughts on this proposal, and to discuss with the web community about how different transition plans might serve users.
Background
We all need data communication on the web to be secure (private, authenticated, untampered). When there is no data security, the UA should explicitly display that, so users can make informed decisions about how to interact with an origin.
Roughly speaking, there are three basic transport layer security states for web origins:
Secure (valid HTTPS, other origins like (*, localhost, *));
Dubious (valid HTTPS but with mixed passive resources, valid HTTPS with minor TLS errors); and
Non-secure (broken HTTPS, HTTP).
For more precise definitions of secure and non-secure, see Requirements for Powerful Features and Mixed Content.
We know that active tampering and surveillance attacks, as well as passive surveillance attacks, are not theoretical but are in fact commonplace on the web.
NSA uses Google cookies to pinpoint targets for hacking
Verizon’s ‘Perma-Cookie’ Is a Privacy-Killing Machine
How bad is it to replace adSense code id to ISP's adSense ID on free Internet?
Comcast Wi-Fi serving self-promotional ads via JavaScript injection
Erosion of the moral authority of transparent middleboxes
Transitioning The Web To HTTPS
We know that people do not generally perceive the absence of a warning sign. (See e.g. The Emperor's New Security Indicators.) Yet the only situation in which web browsers are guaranteed not to warn users is precisely when there is no chance of security: when the origin is transported via HTTP. Here are screenshots of the status quo for non-secure domains in Chrome, Safari, Firefox, and Internet Explorer:
Particulars
UA vendors who agree with this proposal should decide how best to phase in the UX changes given the needs of their users and their product design constraints. Generally, we suggest a phased approach to marking non-secure origins as non-secure. For example, a UA vendor might decide that in the medium term, they will represent non-secure origins in the same way that they represent Dubious origins. Then, in the long term, the vendor might decide to represent non-secure origins in the same way that they represent Bad origins.
Ultimately, we can even imagine a long term in which secure origins are so widely deployed that we can leave them unmarked (as HTTP is today), and mark only the rare non-secure origins.
There are several ways vendors might decide to transition from one phase to the next. For example, the transition plan could be time-based:
T0 (now): Non-secure origins unmarked
T1: Non-secure origins marked as Dubious
T2: Non-secure origins marked as Non-secure
T3: Secure origins unmarked
Or, vendors might set thresholds based on telemetry that measures the ratios of user interaction with secure origins vs. non-secure. Consider this strawman proposal:
Secure > 65%: Non-secure origins marked as Dubious
Secure > 75%: Non-secure origins marked as Non-secure
Secure > 85%: Secure origins unmarked
The particular thresholds or transition dates are very much up for discussion. Additionally, how to define “ratios of user interaction” is also up for discussion; ideas include the ratio of secure to non-secure page loads, the ratio of secure to non-secure resource loads, or the ratio of total time spent interacting with secure vs. non-secure origins.
We’d love to hear what UA vendors, web developers, and users think. Thanks for reading!
On 24 Dec 2014 03:53, "Austin William Wright" <a...@bzfx.net> wrote:
>
> My interest in this is I study and design HTTP servers and content management systems professionally, including HTTPS website deployment for a Certificate Authority.
>
> I would first like to note that there is a very high cost to implementing HTTPS. For individuals, they have to verify ownership of a domain name and/or business entity, install a TLS certificate, and then figure out why their embeds and scripts stopped working. For enterprise, we have to figure out how to mint and revoke large numbers of certificates, and store large numbers of private keys securely (a database with ten thousand private TLS keys is a very precious target indeed!).
>
> If someone uses HTTPS, they do so because they anticipate they need the security. Especially considering someone took on a not-insignificant cost to ensure that their users would have that security. The request for security means something!
No, the request for a resource means something. Security is about the quality of service in delivering said thing.
> HTTP could mean, simply, "I don't care about security".
Then user agents should be free to act on behalf of users to write off correspondents who do not value the user enough to protect the message in transit.
You're making claims about what UA's must do from the perspective of servers; this is a clear agency problem misunderstanding.
We're the user's agent, not the publisher's.
> A TLS failure means "Security is _required_ by the other party, but couldn't be set up and verified. Abort! Abort!"
>
> Purporting that plaintext and HTTPS failure is the same would be conditioning users to be less worried about HTTPS failures, where there's a known _requirement_ for confidentiality.
The UA could develop different (but also scary) UI for these conditions.
Regardless, we have done a poor job communicating the effective system model (that content is not tamper-evidentwhen served over HTTP). Steps to make this clearer aren't the same thing as throwing all distinction overboard.
> There may be some value in saying "as with many network requests, request/submission is being sent in the clear. Anyone on your network will be able to read this!". But big scary warnings are most certainly bad. No matter what, before I claim anything for sure, I would like to see a double-blind study, and not change for the sake of change.
This sort of argument might have worked in '12. Apologies, but you're dreadfully late.
>> Particulars> To unsubscribe from this group and stop receiving emails from it, send an email to blin...@chromium.org.
>>
>>
>> UA vendors who agree with this proposal should decide how best to phase in the UX changes given the needs of their users and their product design constraints. Generally, we suggest a phased approach to marking non-secure origins as non-secure. For example, a UA vendor might decide that in the medium term, they will represent non-secure origins in the same way that they represent Dubious origins. Then, in the long term, the vendor might decide to represent non-secure origins in the same way that they represent Bad origins.
>>
>>
>> Ultimately, we can even imagine a long term in which secure origins are so widely deployed that we can leave them unmarked (as HTTP is today), and mark only the rare non-secure origins.
>>
>>
>> There are several ways vendors might decide to transition from one phase to the next. For example, the transition plan could be time-based:
>>
>>
>> T0 (now): Non-secure origins unmarked
>>
>> T1: Non-secure origins marked as Dubious
>>
>> T2: Non-secure origins marked as Non-secure
>>
>> T3: Secure origins unmarked
>>
>>
>> Or, vendors might set thresholds based on telemetry that measures the ratios of user interaction with secure origins vs. non-secure. Consider this strawman proposal:
>>
>>
>> Secure > 65%: Non-secure origins marked as Dubious
>>
>> Secure > 75%: Non-secure origins marked as Non-secure
>>
>> Secure > 85%: Secure origins unmarked
>>
>>
>> The particular thresholds or transition dates are very much up for discussion. Additionally, how to define “ratios of user interaction” is also up for discussion; ideas include the ratio of secure to non-secure page loads, the ratio of secure to non-secure resource loads, or the ratio of total time spent interacting with secure vs. non-secure origins.
>>
>>
>> We’d love to hear what UA vendors, web developers, and users think. Thanks for reading!
>
>
Which standards bodies are those? Cause the W3C TAG is recommending pervasive end-to-end transit encryption.
On 18 Dec 2014 14:22, "Jeffrey Walton" <nolo...@gmail.com> wrote:
On Thu, Dec 18, 2014 at 5:10 PM, Daniel Kahn Gillmor
<d...@fifthhorseman.net> wrote:
> ...None of them are correct when an interception proxy is involved. All
> Four proposed fine-tunings:
>
> A) i don't think we should remove "This website does not supply
> identity information" -- but maybe replace it with "The identity of this
> site is unconfirmed" or "The true identity of this site is unknown"
of them lead to a false sense of security.
Given the degree to which standard bodies accommodate (promote?)
interception, UA's should probably steer clear of making any
statements like that if accuracy is a goal.
To unsubscribe from this group and stop receiving emails from it, send an email to blin...@chromium.org.
On Wed, Dec 24, 2014 at 5:43 PM, Alex Russell <sligh...@google.com> wrote:W3C and IETF. They may be recommending it, but their deliverables are
> Which standards bodies are those? Cause the W3C TAG is recommending
> pervasive end-to-end transit encryption.
failing to meet expectations.
Jeff
That change in attitudes and recommendations hasn't retroactively caused change in software is...well...the state of all human affairs.
New APIs are absolutely being denied to HTTP content (see WebCrypro and Service Workers). The TAG will continue to recommend this. Stay tuned for the Finding.
Regards
Have there been any suggestions what to do about <FORM>s sent over HTTP that include <INPUT type="password">? For example marking the password field itself as dubious/insecure? (I am absolutely not saying that is what browsers should be doing, mind you)
Oh, just set the form action to an invalid HTTPS url, and change it with JS on the submit event, or just send via AJAX... see perfectly secure (no warnings), you can even use rot-13 for extra protection... and who cares about non JS browsers? :-P
> On 26 Dec 2014, at 22:20, Jiri Danek <software...@gmail.com> wrote:
>
> Have there been any suggestions what to do about <FORM>s sent over HTTP that include <INPUT type="password">? For example marking the password field itself as dubious/insecure? (I am absolutely not saying that is what browsers should be doing, mind you)
Seriously though, we need to start moving over to HTTPS only... baby steps at first (e.g. tiny UI hints to educate users), fix the issues (e.g. issuing and installing certs), but we can get there eventually :-)
Craig
Submitting a password over HTTP. I mean, this is a really LOW bar to
win. May I suggest a few phases?
Phase 1 = warn the user when they are about to submit a password field
over HTTP (do some browsers do this already?)
Phase 2 = submit a recommendation and guidance to have development tools
warn the developers somehow during development...
Phase 3 = ban this practice in the browser someday
win. May I suggest a few phases?
Phase 1 = warn the user when they are about to submit a password field
over HTTP (do some browsers do this already?)
Phase 2 = submit a recommendation and guidance to have development tools
warn the developers somehow during development...
Phase 3 = ban this practice in the browser someday
On Wed, Dec 24, 2014 at 3:43 PM, Alex Russell <sligh...@google.com> wrote:
On 24 Dec 2014 03:53, "Austin William Wright" <a...@bzfx.net> wrote:
>
> My interest in this is I study and design HTTP servers and content management systems professionally, including HTTPS website deployment for a Certificate Authority.
>
> I would first like to note that there is a very high cost to implementing HTTPS. For individuals, they have to verify ownership of a domain name and/or business entity, install a TLS certificate, and then figure out why their embeds and scripts stopped working. For enterprise, we have to figure out how to mint and revoke large numbers of certificates, and store large numbers of private keys securely (a database with ten thousand private TLS keys is a very precious target indeed!).
>
> If someone uses HTTPS, they do so because they anticipate they need the security. Especially considering someone took on a not-insignificant cost to ensure that their users would have that security. The request for security means something!No, the request for a resource means something. Security is about the quality of service in delivering said thing.
Specifically, I refer to privacy and authentication (which seems to be what "security" means here). There's many components to security, and they're not all going to be desired at the same level for every request, sometimes even at odds with each other. Deniability is a particularly expensive one to implement, often at significant monetary and performance cost to the user. Deniability is simply not implemented by any website (or more accurately, any authority) indexed by the major search engines.
It's difficult to claim that deniability, though, is about "quality of service", but it is nonetheless considered something _very_ important by Tor, and by users of it.
> HTTP could mean, simply, "I don't care about security".
Then user agents should be free to act on behalf of users to write off correspondents who do not value the user enough to protect the message in transit.
You're making claims about what UA's must do from the perspective of servers; this is a clear agency problem misunderstanding.
We're the user's agent, not the publisher's.
When a user navigates to an https:// resource, or hits the checkbox for STARTTLS, or selects "Require encryption" from a drop-down, they, the user, are *demanding* a secure connection (for someone's definition of secure; traditionally this means privacy and authentication but need not include deniability).
If we want to talk about the perspective of servers, the server has options to demand a secure connection too; it simply has to deny plaintext requests (it could redirect, but this risks the user-agent sending sensitive information including request-uri that'll just be ignored), and TLS can specifically ask for or require a client TLS certificate for authentication.
The user-agent works for the user, not the other way around. Letting a user-agent intervene in the case of a plaintext request is imposing a value on the user: It prioritizes privacy over "DO NOT BREAK USERSPACE!" which is not *necessarily* true.
If TLS were free or very cheap to implement, however, this would be a non-issue. Hence my treatment of ways to do this.
Even if the http-as-non-secure proposal fully worked; it still increases the cost of publishing content and barriers to entry. I recall Tim Berners-Lee recollecting that requiring users mint a long-lived URI was concerning cost; but there was no other way to design a decentralized Web. (In the end, the biggest barrier to entry has been acquisition of a domain name and hosting.)
Of course, if efficiency and security are at odds, then we prefer security. However, I see making TLS implementation cheaper as a viable alternative to this proposal, and so is far more appealing.
> A TLS failure means "Security is _required_ by the other party, but couldn't be set up and verified. Abort! Abort!"
>
> Purporting that plaintext and HTTPS failure is the same would be conditioning users to be less worried about HTTPS failures, where there's a known _requirement_ for confidentiality.The UA could develop different (but also scary) UI for these conditions.
I am specifically referring to the part of the proposal that, in the long term, specifies no UI difference between plaintext and failed-TLS.
Would you care to make an alternate proposal with this change?
Regardless, we have done a poor job communicating the effective system model (that content is not tamper-evidentwhen served over HTTP). Steps to make this clearer aren't the same thing as throwing all distinction overboard.
> There may be some value in saying "as with many network requests, request/submission is being sent in the clear. Anyone on your network will be able to read this!". But big scary warnings are most certainly bad. No matter what, before I claim anything for sure, I would like to see a double-blind study, and not change for the sake of change.
This sort of argument might have worked in '12. Apologies, but you're dreadfully late.
I'm afraid snark wasn't my first language, so you'll have to refresh my memory: what are you referring to?
Earlier in my message, I touched on the danger of users dismissing warnings for their e.g. bank, because users become dismissive of "insecure connection" warnings found elsewhere.
Now, we might have HSTS (for my bank example), but at that point we're no longer talking about two tiers of security, but three (insecure-bypassable, insecure-nonbypassable, secure), which is precisely what the proposal is advocating moving _away_ from (or, the proposal is not very clear on this point, and a clarification in its text would be necessary).
> If we want to talk about the perspective of servers, the server has options> ...
> to demand a secure connection too; it simply has to deny plaintext requests
Actually, no. Middleware boxes and a class of active attackers can do
whatever they want.
The control to stop most of the intercept related attacks - public key
pinning - was watered down by the committee members to the point that
the attacker effectively controls the pinset. (Here, I'm making no
differentiation between the "good" bad guys and the "bad" bad guys
because its nearly impossible to differentiate between them).
That is, the standard could have provided policy and the site could
have sent a policy that governed the pinset. The site could have
allowed an override or denied an override. But it was decided all
users must be subjected to the interception, so the policy elements
were not provided.
So how's that for strategy: the user does not get a choice in their
secure connection and the site does not get a choice in its secure
connection. Rather, some unrelated externality makes the choice.
Jeff
>> ...
On Fri, Dec 26, 2014 at 8:33 PM, Austin William Wright <a...@bzfx.net> wrote:
>
> On Wed, Dec 24, 2014 at 3:43 PM, Alex Russell <sligh...@google.com>
> wrote:
>> ...
Chris Bentzel <cben...@chromium.org> wrote:
> On Thu, Dec 18, 2014 at 4:18 PM, Monica Chew <m...@mozilla.com> wrote:
>> On Thu, Dec 18, 2014 at 12:27 PM, Chris Palmer <pal...@google.com> wrote:
>>>
>>> On Thu, Dec 18, 2014 at 12:12 PM, Monica Chew <m...@mozilla.com> wrote:
>>>
>>> > I support the goal of this project, but I'm not sure how we can get to a
>>> > point where showing warning indicators makes sense. It seems that about
>>> > 67%
>>> > of pageviews on the Firefox beta channel are http, not https. How are
>>> > Chrome's numbers?
>>>
>>> Currently, roughly 58% of top-level navigations in Chrome are HTTPS.
>>
>> Thanks for the numbers. That's a significant gap (58% vs 33%). Do you have
>> any idea why this might be the case?
>
> It's possible this is due to Firefox not counting same-frame
> navigations (fragment change, pushState) as top-level navigations.
>
> I added Navigation.MainFrameSchemeDifferentPage recently which
> excludes these navigations, and the fraction of navigations that are
> https is significantly lower.
You are correct that the Firefox telemetry is measuring something
different from the Chrome telemetry. Basically, Firefox's telemetry is
measuring network requests made for top-level document loads, not
served from the cache (IIRC), and not involving any pushState/fragment
stuff. It was created by the Mozilla networking team for measuring
stuff that actually touches the network.
In particular, it seems to count each redirect in a redirect chain
separately, so an HTTP -> HTTPS redirect is counted as one non-secure
load and one secure load. Although this has some relevance to the UI
issue (how the UI encourages the user to attempt to load pages over
HTTP even though the site prefers HTTPS), this is probably not good
for measuring the impact of changing the address bar UI.
Even Chrome's 58% number is probably under-estimating the number of
navigations that *could* happen loaded over HTTPS. I think a key to
making a successful UI change like the one proposed is to identify
HTTP loads that could be HTTPS loads, and actively make them HTTPS
loads, similar to what HTTPS Everywhere does. Both browsers do this
with HSTS and HSTS preloading, but that approach is too conservative.
We need to find a way to measure this gap between "could be HTTPS" and
"is HTTPS" and then more actively close that gap.
It would also be useful to consider metrics such as what percentage of
page loads happen as a result of the end-user typing or pasting a
scheme-less domain name into the address bar, and of that percentage,
how many resulted in an HTTPS load, how many resulted in an HTTP load
even though an HTTPS load would have worked fine, and how many really
needed to be HTTP loads?
It would also be useful to consider search metrics. When I search for
"RFC 5246" with Google Search or Yahoo! Search, the top result is
http://tools.ietf.org/html/rfc5246. But,
HTTPS://tools.ietf.org/html/rfc5246 has the exact-same content. How
often does this happen? What can be done to make search engines
consider the HTTPS:// variant the canonical, default, choice? (Note:
RFC 5246 is the TLS 1.2 specification.)
Are the Chrome numbers available broken down by geography and/or
language? I think it is likely to be the case that different
populations (e.g. German language websites vs. Chinese-language
websites) have quite different mixes of HTTP vs. HTTPS usage.
Comparing some of the country-specific Alexa lists seems to support
this idea. Peoples' understanding and reaction to security indicator
changes is likely to be varied by locale too. Also, it is likely that
some locales will reach whatever thresholds for triggering a UX change
well before other locales. Should such UX changes be rolled out
separately by locale?
Cheers,
Brian
> On Thu, Dec 18, 2014 at 4:18 PM, Monica Chew <m...@mozilla.com> wrote:
>> On Thu, Dec 18, 2014 at 12:27 PM, Chris Palmer <pal...@google.com> wrote:
>>>
>>> On Thu, Dec 18, 2014 at 12:12 PM, Monica Chew <m...@mozilla.com> wrote:
>>>
>>> > I support the goal of this project, but I'm not sure how we can get to a
>>> > point where showing warning indicators makes sense. It seems that about
>>> > 67%
>>> > of pageviews on the Firefox beta channel are http, not https. How are
>>> > Chrome's numbers?
>>>
>>> Currently, roughly 58% of top-level navigations in Chrome are HTTPS.
>>
>> Thanks for the numbers. That's a significant gap (58% vs 33%). Do you have
>> any idea why this might be the case?
>
> It's possible this is due to Firefox not counting same-frame
> navigations (fragment change, pushState) as top-level navigations.
>
> I added Navigation.MainFrameSchemeDifferentPage recently which
> excludes these navigations, and the fraction of navigations that are
> https is significantly lower.
You are correct that the Firefox telemetry is measuring something
different from the Chrome telemetry. Basically, Firefox's telemetry is
measuring network requests made for top-level document loads, not
served from the cache (IIRC), and not involving any pushState/fragment
stuff. It was created by the Mozilla networking team for measuring
stuff that actually touches the network.
In particular, it seems to count each redirect in a redirect chain
separately, so an HTTP -> HTTPS redirect is counted as one non-secure
load and one secure load. Although this has some relevance to the UI
issue (how the UI encourages the user to attempt to load pages over
HTTP even though the site prefers HTTPS), this is probably not good
for measuring the impact of changing the address bar UI.
Even Chrome's 58% number is probably under-estimating the number of
navigations that *could* happen loaded over HTTPS. I think a key to
making a successful UI change like the one proposed is to identify
HTTP loads that could be HTTPS loads, and actively make them HTTPS
loads, similar to what HTTPS Everywhere does. Both browsers do this
with HSTS and HSTS preloading, but that approach is too conservative.
We need to find a way to measure this gap between "could be HTTPS" and
"is HTTPS" and then more actively close that gap.
It would also be useful to consider metrics such as what percentage of
page loads happen as a result of the end-user typing or pasting a
scheme-less domain name into the address bar, and of that percentage,
how many resulted in an HTTPS load, how many resulted in an HTTP load
even though an HTTPS load would have worked fine, and how many really
needed to be HTTP loads?
It would also be useful to consider search metrics. When I search for
"RFC 5246" with Google Search or Yahoo! Search, the top result is
http://tools.ietf.org/html/rfc5246. But,
HTTPS://tools.ietf.org/html/rfc5246 has the exact-same content. How
often does this happen? What can be done to make search engines
consider the HTTPS:// variant the canonical, default, choice? (Note:
RFC 5246 is the TLS 1.2 specification.)
Are the Chrome numbers available broken down by geography and/or
language? I think it is likely to be the case that different
populations (e.g. German language websites vs. Chinese-language
websites) have quite different mixes of HTTP vs. HTTPS usage.
Comparing some of the country-specific Alexa lists seems to support
this idea. Peoples' understanding and reaction to security indicator
changes is likely to be varied by locale too. Also, it is likely that
some locales will reach whatever thresholds for triggering a UX change
well before other locales. Should such UX changes be rolled out
separately by locale?
Cheers,
Brian
On Fri, Dec 26, 2014 at 7:43 PM, Jeffrey Walton <nolo...@gmail.com> wrote:> If we want to talk about the perspective of servers, the server has options
> to demand a secure connection too; it simply has to deny plaintext requests
> ...
Actually, no. Middleware boxes and a class of active attackers can do
whatever they want.
Ah yes, I wasn't even considering the class of active attacks, where *any* attempt to go over cleartext would be vulnerable. Thanks for pointing this out!
(I was careful to specify that accepting the TCP connection, for the purposes of redirecting, could leak information to eavesdroppers.)
The control to stop most of the intercept related attacks - public key
pinning - was watered down by the committee members to the point that
the attacker effectively controls the pinset. (Here, I'm making no
differentiation between the "good" bad guys and the "bad" bad guys
because its nearly impossible to differentiate between them).
That is, the standard could have provided policy and the site could
have sent a policy that governed the pinset. The site could have
allowed an override or denied an override. But it was decided all
users must be subjected to the interception, so the policy elements
were not provided.
So how's that for strategy: the user does not get a choice in their
secure connection and the site does not get a choice in its secure
connection. Rather, some unrelated externality makes the choice.
I share your concerns, and more: Public Key Pinning (and Strict Transport Security, for that matter) is awfully specific to HTTP, even though it has nothing to do with HTTP at all. The proper place to put this information is in DNS records. This has worked reasonably well for Email; or at least I don't see anyone proposing we query SMTP servers for relevant security metadata. So why do this for HTTP? (If one wants to answer that properly stopping forged headers is less important than stopping plaintext cat pictures, color me surprised; if it's because it's a better alternative than unencrypted DNS records for those lacking DNSSEC, that's a better answer, but it's still relegates HPKP and HSTS to the realm of "stopgap measure".)
Austin.
On Dec 26, 2014 10:01 PM, "Austin William Wright" <a...@bzfx.net> wrote:
>
>
>
> On Fri, Dec 26, 2014 at 7:43 PM, Jeffrey Walton <nolo...@gmail.com> wrote:
>>
>> > If we want to talk about the perspective of servers, the server has options
>> > to demand a secure connection too; it simply has to deny plaintext requests
>> > ...
>>
>> Actually, no. Middleware boxes and a class of active attackers can do
>> whatever they want.
>
>
> Ah yes, I wasn't even considering the class of active attacks, where *any* attempt to go over cleartext would be vulnerable. Thanks for pointing this out!
>
> (I was careful to specify that accepting the TCP connection, for the purposes of redirecting, could leak information to eavesdroppers.)
>
>>
>>
>> The control to stop most of the intercept related attacks - public key
>> pinning - was watered down by the committee members to the point that
>> the attacker effectively controls the pinset. (Here, I'm making no
>> differentiation between the "good" bad guys and the "bad" bad guys
>> because its nearly impossible to differentiate between them).
To Jeffrey: can you please stop the ad hominem attacks? Especially when the three authors have all worked on Chromium, and two are actively championing this proposal? This sort of revisionist history does no one any good. It is a simple threat model: If you give up administrative access to your physical device, it is no longer your device. The thing you lament missing due to some shadowy committee members (hi! No shadows here!) Is a simple recognition of two things: if your device is physically owned, it is physically owned, and no remote server can express a policy that clients will not be able to override, short of Trusted Computing and Remote Attestation (which is the tech term for saying once unicorns and fairies cease their blood feud and restore Santa Claus to his rightful throne in the North Pole... because it's all fiction).
I've avoided commenting all of the other times you've misrepresented how this came to be, but lest it be seen that our silence is assent, I have to at least call out this dissent.
>>
>> That is, the standard could have provided policy and the site could
>> have sent a policy that governed the pinset. The site could have
>> allowed an override or denied an override. But it was decided all
>> users must be subjected to the interception, so the policy elements
>> were not provided.
>>
>> So how's that for strategy: the user does not get a choice in their
>> secure connection and the site does not get a choice in its secure
>> connection. Rather, some unrelated externality makes the choice.
>
>
> I share your concerns, and more: Public Key Pinning (and Strict Transport Security, for that matter) is awfully specific to HTTP, even though it has nothing to do with HTTP at all. The proper place to put this information is in DNS records. This has worked reasonably well for Email; or at least I don't see anyone proposing we query SMTP servers for relevant security metadata.
I assume that you aren't familiar with STARTTLS? The encryption and security story for email is disastrously worse than anything for HTTP.
> So why do this for HTTP? (If one wants to answer that properly stopping forged headers is less important than stopping plaintext cat pictures, color me surprised; if it's because it's a better alternative than unencrypted DNS records for those lacking DNSSEC, that's a better answer, but it's still relegates HPKP and HSTS to the realm of "stopgap measure".)
>
> Austin.
Indeed. From the point of view of client applications, DNSSEC is a complete and utter failure, and will remain so for the next decade, given hardware cycles. If a decade sounds like a stopgap measure, when it was longer than the relevant lifetime of sites like Myspace, so be it, but that seems like a pretty good run to me.
On Fri, Dec 26, 2014 at 11:36 PM, Ryan Sleevi <rsl...@chromium.org> wrote:
(snip)
>>
>> That is, the standard could have provided policy and the site could
>> have sent a policy that governed the pinset. The site could have
>> allowed an override or denied an override. But it was decided all
>> users must be subjected to the interception, so the policy elements
>> were not provided.
>>
>> So how's that for strategy: the user does not get a choice in their
>> secure connection and the site does not get a choice in its secure
>> connection. Rather, some unrelated externality makes the choice.
>
>
> I share your concerns, and more: Public Key Pinning (and Strict Transport Security, for that matter) is awfully specific to HTTP, even though it has nothing to do with HTTP at all. The proper place to put this information is in DNS records. This has worked reasonably well for Email; or at least I don't see anyone proposing we query SMTP servers for relevant security metadata.I assume that you aren't familiar with STARTTLS? The encryption and security story for email is disastrously worse than anything for HTTP.
> So why do this for HTTP? (If one wants to answer that properly stopping forged headers is less important than stopping plaintext cat pictures, color me surprised; if it's because it's a better alternative than unencrypted DNS records for those lacking DNSSEC, that's a better answer, but it's still relegates HPKP and HSTS to the realm of "stopgap measure".)
>
> Austin.Indeed. From the point of view of client applications, DNSSEC is a complete and utter failure, and will remain so for the next decade, given hardware cycles. If a decade sounds like a stopgap measure, when it was longer than the relevant lifetime of sites like Myspace, so be it, but that seems like a pretty good run to me.
I would challenge this notion: The deployment cycle doesn't seem to be that much longer than TLS (underneath HTTP). SSL was first available in 1995, standardized 1996, almost twenty years ago. TLS 1.0 came out 1999 and we STILL have user-agents that will happily downgrade to SSL 3.0. (I don't claim to be a TLS/DNSSEC historian, feel free to correct me.)
While efforts to secure DNS began about the same time, the modern DNSSEC was first operational around 2004, and the first Key Signing Ceremony was only in 2010! I find it fully usable, for those applications that support it. At the application client level, I haven't found any reasons to not support it.
I would venture to guess that Web browsers and other user-agents could make a better impact by deploying DNSSEC support, over forcing TLS usage. The former adds more options for security; the latter imposes costs on users of TLS, whether or not the existing system suits their needs.
I don't see anything wrong with STARTTLS; in fact I find it preferable to having seperate URI schemes for what is otherwise the same resource. (I don't actually run any email servers, but I use STARTTLS with LDAP, XMPP, a proprietary protocol, and the similar RFC 2817 for HTTP. That is, in fact, a thing.) If one requires security, they can always start requests with "STARTTLS"; if a server demands security (for its definition of security), then it can just kill plaintext queries. Nor do I find deployment of TLS on email systems to be particularly behind TLS on HTTP (do you have data on this?). In particular, I do like Alex Russell's assertion that TLS is about "quality of service" (if I understand correctly; my response point being this is not exclusively what security entails), and this is something that exists below the application layer.
Austin.
The problem is that the browser does not know what the data really is... it's only because the input has its type set to password that it can even guess that it might be a password... it's trivial to not mark it as such.On 26 Dec 2014, at 22:49, Jim Manico <jim....@owasp.org> wrote:Submitting a password over HTTP. I mean, this is a really LOW bar to win. May I suggest a few phases?
But then again, should we really be using passwords? They have been proven many times to be broken... i.e. re-use of the same value every time you attempt to login, so once known it can be used time and time again (which is why your credit card identifier/number is really not good enough to protect your money)... but that is a discussion for another day, ideally when we have viable alternatives :-)
Craig
To unsubscribe from this group and stop receiving emails from it, send an email to securi...@chromium.org.
On Dec 27, 2014 1:08 AM, "Austin William Wright" <a...@bzfx.net> wrote:
>
>
>
> On Fri, Dec 26, 2014 at 11:36 PM, Ryan Sleevi <rsl...@chromium.org> wrote:
>
> (snip)
>
>> >>
>> >> That is, the standard could have provided policy and the site could
>> >> have sent a policy that governed the pinset. The site could have
>> >> allowed an override or denied an override. But it was decided all
>> >> users must be subjected to the interception, so the policy elements
>> >> were not provided.
>> >>
>> >> So how's that for strategy: the user does not get a choice in their
>> >> secure connection and the site does not get a choice in its secure
>> >> connection. Rather, some unrelated externality makes the choice.
>> >
>> >
>> > I share your concerns, and more: Public Key Pinning (and Strict Transport Security, for that matter) is awfully specific to HTTP, even though it has nothing to do with HTTP at all. The proper place to put this information is in DNS records. This has worked reasonably well for Email; or at least I don't see anyone proposing we query SMTP servers for relevant security metadata.
>>
>> I assume that you aren't familiar with STARTTLS? The encryption and security story for email is disastrously worse than anything for HTTP.
>>
>> > So why do this for HTTP? (If one wants to answer that properly stopping forged headers is less important than stopping plaintext cat pictures, color me surprised; if it's because it's a better alternative than unencrypted DNS records for those lacking DNSSEC, that's a better answer, but it's still relegates HPKP and HSTS to the realm of "stopgap measure".)
>> >
>> > Austin.
>>
>> Indeed. From the point of view of client applications, DNSSEC is a complete and utter failure, and will remain so for the next decade, given hardware cycles. If a decade sounds like a stopgap measure, when it was longer than the relevant lifetime of sites like Myspace, so be it, but that seems like a pretty good run to me.
>
>
> I would challenge this notion: The deployment cycle doesn't seem to be that much longer than TLS (underneath HTTP). SSL was first available in 1995, standardized 1996, almost twenty years ago. TLS 1.0 came out 1999 and we STILL have user-agents that will happily downgrade to SSL 3.0. (I don't claim to be a TLS/DNSSEC historian, feel free to correct me.)
I suspect we are far diverging from the topic at hand, so I won't respond in depth.
>
> While efforts to secure DNS began about the same time, the modern DNSSEC was first operational around 2004, and the first Key Signing Ceremony was only in 2010! I find it fully usable, for those applications that support it. At the application client level, I haven't found any reasons to not support it.
>
There are a tremendous amount of issues. Frankly, old hardware (e.g. systems running Windows XP, old home routers, old core routers) needs to go away. They either lack DNSSEC in any sensible level or they actively block it.
Again, this isn't an opinion: support for DNSSEC in client networks and on client software is awful. Not a "fix Chrome" awful, but "fix the Internet, the software stack, the OS" awful.
Beyond all of the operational security issues (which EXCEED those of CAs in many ways), the reality is that it is IPv6 in a pre-RFC 3542 world.
> I would venture to guess that Web browsers and other user-agents could make a better impact by deploying DNSSEC support, over forcing TLS usage. The former adds more options for security; the latter imposes costs on users of TLS, whether or not the existing system suits their needs.
Nope. Wrong wager.
>
> I don't see anything wrong with STARTTLS; in fact I find it preferable to having seperate URI schemes for what is otherwise the same resource. (I don't actually run any email servers, but I use STARTTLS with LDAP, XMPP, a proprietary protocol, and the similar RFC 2817 for HTTP. That is, in fact, a thing.) If one requires security, they can always start requests with "STARTTLS"; if a server demands security (for its definition of security), then it can just kill plaintext queries.
Again, as with HTTP, an attacker can easily strip out the STARTTLS. There are many who already do. The server cannot reject plaintext queries - the attacker need just SSLStrip them.
In short, it provides zero effective security without supplemental out of band policy.
> Nor do I find deployment of TLS on email systems to be particularly behind TLS on HTTP (do you have data on this?).
Multiple organizations, including Google, provide scorecards on TLS support.
There is no question it is behind compared to HTTP.
But more importantly, and to the point in which I was originally responding:
1) SMTP/IMAP do not use DNS to deliver security policy.
2) DNSSEC is a presently-failed technology. That it might improve is a possibility, but not with today's internet
3) DNSSEC is less secure than the CA system, for many reasons
4) most importantly, the lack of a scheme and the opportunistic encryption employed by SMTP make it no different than HTTP - an active attacker can break confidentiality, integrity, or authenticity with near-zero effort, and in a way that people would be surprised to realize.
People assume that emails are like letters in envelopes, when in reality they are postcards. Comparing HTTP to email would be one of the few things doable to make it worse.
I would appreciate a rebuttal; this is nonconstructive.
>
> I don't see anything wrong with STARTTLS; in fact I find it preferable to having seperate URI schemes for what is otherwise the same resource. (I don't actually run any email servers, but I use STARTTLS with LDAP, XMPP, a proprietary protocol, and the similar RFC 2817 for HTTP. That is, in fact, a thing.) If one requires security, they can always start requests with "STARTTLS"; if a server demands security (for its definition of security), then it can just kill plaintext queries.Again, as with HTTP, an attacker can easily strip out the STARTTLS. There are many who already do. The server cannot reject plaintext queries - the attacker need just SSLStrip them.
In short, it provides zero effective security without supplemental out of band policy.
I'm aware of the specifics, though I'll entertain the discussion below.
You describe a client issue; clients know that if an active attacker exists, and they make ANY sort of plaintext query, it's game over. This is not a server problem.
If I say "Meet me in secret at the cafe at 8:00" and you run up to it shouting "There you are! Your password is OPEN SESAME" so everyone hears... there's not much I can do about that, is there? I'm assuming I can say "my network-addressable identifier is exclusively over TLS" in some fashion. If I only let people identify me by <https://example.com/> and you use <http://example.com/> you may as well just have used <https://example.org/> (it's a completely different scheme+authority, even if TLS-secured).
(There's many other ways to encode this requirement for security; it could be encoded into DNS records instead of the scheme. This is what SSH does, as touched on below.)
> Nor do I find deployment of TLS on email systems to be particularly behind TLS on HTTP (do you have data on this?).
Multiple organizations, including Google, provide scorecards on TLS support.
Cross-protocol? Vs. DNSSEC? Link?
There is no question it is behind compared to HTTP.
But more importantly, and to the point in which I was originally responding:
1) SMTP/IMAP do not use DNS to deliver security policy.
SPF and DKIM records? (Aside, I find it funny protecting cat pictures (accessible to anyone!) has become more important than filtering out spam and protecting private, confidential email!)
SSH also uses SSHFP records. This is supposed to be one of the most secure methods of communication, period!
2) DNSSEC is a presently-failed technology. That it might improve is a possibility, but not with today's internet
All I can do is re-assert that on all my machines, on all my clients, on all domain names secured with DNSSEC, it works, and I'm not aware of any attacks on it, AND it's gaining adoption. (I have some brilliant colleagues working on making DNSSEC deployment completely effortless to end-users. This is what we need to do to TLS!) If you have a specific attack, by all means, enlighten me!
Complaining about DNSSEC "adoption isn't big enough so I won't adopt it," and not applying the same standard to the proposal at hand, I find to be, well, a double-standard. People support it, it increases security for those people, and it potentially secures much of the Internet, so either make the case that (1) this is too costly for an engineering team to implement (I would think the proposal at hand is more costly), or (2) that this does not accurately state the security of DNSSEC (I'd be happy to examine the evidence).
3) DNSSEC is less secure than the CA system, for many reasons
I don't think I've heard this before. The CA system allows any one of hundreds of CAs to sign a domain name. DNS allows just one. Unless there's a technical flaw I'm unaware of, I choose the latter as more trustworthy, and thereby more secure.
Specific references and studies would be welcome.
4) most importantly, the lack of a scheme and the opportunistic encryption employed by SMTP make it no different than HTTP - an active attacker can break confidentiality, integrity, or authenticity with near-zero effort, and in a way that people would be surprised to realize.
People assume that emails are like letters in envelopes, when in reality they are postcards. Comparing HTTP to email would be one of the few things doable to make it worse.
I speak strictly of the point-to-point facilities of SMTP, encrypted or not, fully aware of the lack of end-to-end encryption on messages.
Austin.
On Fri, Dec 26, 2014 at 8:12 PM, Brian Smith <br...@briansmith.org> wrote:I agree, but assuming that navigations can be upgraded to HTTPS can
> Even Chrome's 58% number is probably under-estimating the number of
> navigations that *could* happen loaded over HTTPS. I think a key to
> making a successful UI change like the one proposed is to identify
> HTTP loads that could be HTTPS loads, and actively make them HTTPS
> loads, similar to what HTTPS Everywhere does. Both browsers do this
> with HSTS and HSTS preloading, but that approach is too conservative.
> We need to find a way to measure this gap between "could be HTTPS" and
> "is HTTPS" and then more actively close that gap.
sometimes lead to surprising results, or at least ineffective results.
* https://example.com redirects to http://example.com (now we've
slowed down the page load time for no benefit, except perhaps
telemetry)
* https://example.com is the admin interface; http://example.com is
the public site (i.e. different applications distinguished only by the
URL's scheme)
Yeah, that's a bug we need to fix. I think we gradually are? I have
> It would also be useful to consider search metrics. When I search for
> "RFC 5246" with Google Search or Yahoo! Search, the top result is
> http://tools.ietf.org/html/rfc5246. But,
> HTTPS://tools.ietf.org/html/rfc5246 has the exact-same content. How
> often does this happen? What can be done to make search engines
> consider the HTTPS:// variant the canonical, default, choice? (Note:
> RFC 5246 is the TLS 1.2 specification.)
pinged the relevant people.
I think you are probably right, but I am not sure we should balkanize the web.
> Are the Chrome numbers available broken down by geography and/or
> language? I think it is likely to be the case that different
> populations (e.g. German language websites vs. Chinese-language
> websites) have quite different mixes of HTTP vs. HTTPS usage.
> Comparing some of the country-specific Alexa lists seems to support
> this idea. Peoples' understanding and reaction to security indicator
> changes is likely to be varied by locale too. Also, it is likely that
> some locales will reach whatever thresholds for triggering a UX change
> well before other locales. Should such UX changes be rolled out
> separately by locale?
On Mon, Dec 29, 2014 at 12:59 PM, 'Chris Palmer' via Security-devThere are a variety of signals, at a variety of quality levels, that
<securi...@chromium.org> wrote:
> On Fri, Dec 26, 2014 at 8:12 PM, Brian Smith <br...@briansmith.org> wrote:
>> It would also be useful to consider search metrics. When I search for
>> "RFC 5246" with Google Search or Yahoo! Search, the top result is
>> http://tools.ietf.org/html/rfc5246. But,
>> HTTPS://tools.ietf.org/html/rfc5246 has the exact-same content. How
>> often does this happen? What can be done to make search engines
>> consider the HTTPS:// variant the canonical, default, choice? (Note:
>> RFC 5246 is the TLS 1.2 specification.)
>
> Yeah, that's a bug we need to fix. I think we gradually are? I have
> pinged the relevant people.
can be used to infer that the scheme is irrelevant. I think some of it
will require heuristics / improvements in the search and indexing side
(and, as Chris said, I know that people at Google are looking at such
signals).
Of the things that apply now, what sites can be doing is:
1) Ensuring HTTP redirects to HTTPS
2) Use canonical URLs - see
https://support.google.com/webmasters/answer/139066?hl=en
3) Use HSTS, when available.
These three things - especially the first two - are signals that most
search engines are already taking into consideration. But all of them
require some degree of a site signalling the intent, which is
understandably a problem of scale. We're also working to evangelize
this better.
> Of the things that apply now, what sites can be doing is:
1) Ensuring HTTP redirects to HTTPS
2) Use canonical URLs - see
https://support.google.com/webmasters/answer/139066?hl=en
3) Use HSTS, when available.
I think that HTTP-redirect as a solution is "too late". The ••preloaded•• HTST headers initiative seems to be the right solution in order to avoid that initial HTTP request...
I don't think preloaded HSTS is part of the HSTS standard. How could we raise adoption?
--
Jim Manico
@Manicode
(808) 652-3805
Of the things that apply now, what sites can be doing is:--Jim Manico@Manicode(808) 652-3805
2) Use canonical URLs - see
https://support.google.com/webmasters/answer/139066?hl=en
3) Use HSTS, when available.
On Mon, Dec 29, 2014 at 8:01 PM, Jim Manico <jim....@owasp.org> wrote:
>> Of the things that apply now, what sites can be doing is:
> 1) Ensuring HTTP redirects to HTTPSI'm sorry it wasn't clearer what I was saying - but this is about
> 2) Use canonical URLs - see
> https://support.google.com/webmasters/answer/139066?hl=en
> 3) Use HSTS, when available.
>
> I think that HTTP-redirect as a solution is "too late". The ••preloaded••
> HTST headers initiative seems to be the right solution in order to avoid
> that initial HTTP request...
answering the question about "How do we get search engines to prefer
HTTPS". This is how.
If your search engine is linking to HTTPS because it detected the
above three, then your link is to HTTPS, and thus you don't have that
window.
It doesn't need to be.
>
> https://hstspreload.appspot.com/
>
> I don't think preloaded HSTS is part of the HSTS standard. How could we
> raise adoption?
>
Right.
I'm just politely critiquing what I see as advice regarding HTTPS/TLS
configuration that seems lacking. And yes I pivoted to asking about
•preloaded• HSTS evangelism since I feel it makes the search engine
question moot. Who cares if a search engine returns HTTP or HTTPS
links if we have widespread adoption of preloaded HSTS sites that make
the change in the client.
That's where my thinking was; my apologies if I detailed the conversation.
I'm just politely critiquing what I see as advice regarding HTTPS/TLS
configuration that seems lacking. And yes I pivoted to asking about
•preloaded• HSTS evangelism since I feel it makes the search engine
question moot. Who cares if a search engine returns HTTP or HTTPS
links if we have widespread adoption of preloaded HSTS sites that make
the change in the client.
That's where my thinking was; my apologies if I detailed the conversation.
--
Jim Manico
@Manicode
(808) 652-3805
As for raising adoption, people just need to talk about it. I'm not sure why more entities that have preloaded their domains aren't putting up blog posts or press releases about it. "We're so secure that we're hardcoded into browsers" seems like an all-upside PR move. I know I'm working on taking advantage of that in my own work.
> The problem is that the browser does not know what the data really is... it's only because the input has its type set to password that it can even guess that it might be a password... it's trivial to not mark it as such.I am really confused by this response. I say when the developer uses a type="password" field, we should assume the input is a sensitive credential, warn the user (at least) if it's over HTTP, and potentially even block password fields from being sent over HTTP. This will "break" while I'm working in dev so it should be rare when new apps have this data-exposure problem. Sure, this defense may break legacy apps, but it *SHOULD* break legacy apps that send passwords over HTTP due to password reuse and all the other modern problems with passwords.
So I say the browser absolutely knows that the data is - it's data that is sent over a field that a developer specifically labeled as a password. Passwords must be sent over HTTPS or nothing in today's threatscape.
With respect,
- Jim
So I say the browser absolutely knows that the data is - it's data that is sent over a field that a developer specifically labeled as a password. Passwords must be sent over HTTPS or nothing in today's threatscape.
Hi Jim,
I really appreciate what you're saying, and I would really like this as well.
But think about it from the typical programmers point of view... their customers/managers might complain that the password field "looks odd" (the warning approach - where they won't read the error message, that's too difficult)... or does not work at all.
That developer might implement HTTPS... but in most cases (because they don't have time, or possibly too lazy, with a manager saying "just fix it, and there's no budget for this"), they will just change the input type to "text"... and possibly copy/paste a jQuery plugin that will "bring back the dots", e.g.
That's assuming the developer does not say that the browser is broken, and they should use a different one (I've unfortunately seen this response a few times before).
Craig
Craig,
I would agree with the later perspective you are stating 10 maybe 5 years ago, Craig. But with so many incredibly highly-visible hacking incidents in the last few years, the culture around developers and users perspective of security is rapidly changing. You have a chance to be bold at the standard level, possibly even get all of the major browsers to agree to said standard, and be a bit more aggressive in application security education and awareness in the browser. How much can that slider be increased? I'm not sure. But again I really think this one, forcing a password field to be transported encrypted, is such a low bar in terms of increasing security in the browser.
So when a developer allows a users credential to be sent plaintext, it's a huge application security crime. If the browser lets this happen without any attempt to warn the user or developer, then I call the browser a serious accomplice in this terrible and very basic security crime.
- Jim
I would agree with the later perspective you are stating 10 maybe 5 years ago, Craig. But with so many incredibly highly-visible hacking incidents in the last few years, the culture around developers and users perspective of security is rapidly changing. You have a chance to be bold at the standard level, possibly even get all of the major browsers to agree to said standard, and be a bit more aggressive in application security education and awareness in the browser. How much can that slider be increased? I'm not sure. But again I really think this one, forcing a password field to be transported encrypted, is such a low bar in terms of increasing security in the browser.
So when a developer allows a users credential to be sent plaintext, it's a huge application security crime. If the browser lets this happen without any attempt to warn the user or developer, then I call the browser a serious accomplice in this terrible and very basic security crime.
- Jim
On 3 Jan 2015, at 08:15, Jim Manico <jim....@owasp.org> wrote:You have a chance to be bold at the standard level, possibly even get all of the major browsers to agree to said standard, and be a bit more aggressive in application security education and awareness in the browser.
Hi Jim,
I really share your frustration, and going back to the original proposal (Marking HTTP As Non-Secure), I believe that is a better solution than alerting users about forms submitting passwords over HTTP.
Keeping in mind that many websites that have implemented HTTPS still use HTTP to load the form, hope that the form still submits to the correct HTTPS url, sets a (non-secure) cookie, and redirects back to the HTTP website... because "HTTP is faster":
It's also why the HTTP shaming blog is constantly posting examples of this very problem (and not that many websites fix the issues afterwards):
I wish I can be as optimistic as you about the culture for developers and general security improvements... unfortunately nearly every website developer I have talked to (at quite a few conferences) have little to no knowledge about the security features available to them... they generally want to get the job done, and leave the office by 5:30pm.
It's one of the reasons I'm really pushing for a security tab in the web dev tools, to help with education and usage of the features that are available... i.e. have you tried implementing a CSP header before? it's good fun :-)
Craig
On 3/01/2015 08:15 am, Jim Manico wrote:> incidents in the last few years, /the culture around developers and
> Craig,
>
> I would agree with the later perspective you are stating 10 maybe 5
> years ago, Craig. But with so many incredibly highly-visible hacking
> users perspective of security is rapidly changing/. You have a chance to
> be bold at the standard level, possibly even get all of the majorThe chance to be bold doesn't come around very often. Now people are
> browsers to agree to said standard, and be a bit more aggressive in
> application security education and awareness in the browser. How much
> can that slider be increased? I'm not sure.
thinking about Snowden, this is the best opportunity to make sweeping
changes we have seen since forever.
Every change results in someone losing something, and that someone
decided to take on the jihad to save themselves a little. Every whinge
and whine comes at the expense of everyone else. Every excuse places
short term, individual issues above the health of the entire ecosystem.
The chance to be bold has probably reached its peak. It probably won't
get any stronger than today. Don't blink...
> a huge application security crime. _*If the browser lets this happen
> But again I really think
> this one, forcing a password field to be transported encrypted, is such
> a low bar in terms of increasing security in the browser.
>
> So when a developer allows a users credential to be sent plaintext, it's
> without any attempt to warn the user or developer, then I call theIn general I agree with HTTPS for all passwords.
> browser a serious accomplice in this terrible and very basic security
> crime.
Only mild comment I'd make is that the whole '****' thing is soooo
1980s. I'm specifically talking about university terminal labs, where
students would shoulder surf to steal accounts. These days, people want
(need) to see the passwords in clear on the screen because they are so
bloody difficult to type because they have to read an 8 hieroglyph
masterpiece out of a paper or phone record to keep them secure.
Shoulder surfing is the least of people's worries, that they can deal
with by ... looking behind them.
Security tips become received wisdom become millstones as the threat
moves on...
iang
> On 1/2/15 9:55 PM, Craig Francis wrote:
>>
>> On 2 Jan 2015, at 22:09, Jim Manico <jim....@owasp.org
>> <mailto:jim....@owasp.org>> wrote:>>> password. Passwords /*must*/ be sent over HTTPS or nothing in today's
>>
>>> So I say the browser absolutely knows that the data is - it's data
>>> that is sent over a field that a developer specifically labeled as a
>>> threatscape.> _______________________________________________
>>
>>
>> Hi Jim,
>>
>> I really appreciate what you're saying, and I would really like this
>> as well.
>>
>> But think about it from the typical programmers point of view... their
>> customers/managers might complain that the password field "looks odd"
>> (the warning approach - where they won't read the error message,
>> that's too difficult)... or does not work at all.
>>
>> That developer might implement HTTPS... but in most cases (because
>> they don't have time, or possibly too lazy, with a manager saying
>> "just fix it, and there's no budget for this"), they will just change
>> the input type to "text"... and possibly copy/paste a jQuery plugin
>> that will "bring back the dots", e.g.
>>
>> http://www.jqueryscript.net/form/iOS-Like-Plain-Text-Input-of-Password-with-jQuery-mobilePassword-Plugin.html
>>
>>
>> http://css-tricks.com/better-password-inputs-iphone-style/
>>
>> That's assuming the developer does not say that the browser is broken,
>> and they should use a different one (I've unfortunately seen this
>> response a few times before).
>>
>> Craig
>
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
> Only mild comment I'd make is that the whole '****' thing is soooo 1980s. I'm specifically talking about university terminal labs, where students would shoulder surf to steal accounts. These days, people want (need) to see the passwords in clear on the screen because they are so bloody difficult to type because they have to read an 8 hieroglyph masterpiece out of a paper or phone record to keep them secure.IE addresses this well. Password fields default to not displaying
entered text, but users can click to make that field visible again.
This is an example of tiny decrease in security for a major increase
in usability.
--
Jim Manico
@Manicode
(808) 652-3805
--
Jim Manico
@Manicode
(808) 652-3805
> It's one of the reasons I'm really pushing for a security tab in the web dev tools, to help with education and usage of the features that are available... i.e. have you tried implementing a CSP header before? it's good fun :-)Cool. I'm running CSP on several of my sites. Easy to set up for new
development, lots of tools out there to make it easier. script hashing
and script noncing are awesome. I can even easily protect inline
scripts now...
Building complex websites is very tough. Security is just another
engineering task... :)
--
Jim Manico
@Manicode
(808) 652-3805
On 3 Jan 2015, at 20:55, Jim Manico <jim....@owasp.org> wrote:
>> It's one of the reasons I'm really pushing for a security tab in the web dev tools, to help with education and usage of the features that are available... i.e. have you tried implementing a CSP header before? it's good fun :-)
>
> Cool. I'm running CSP on several of my sites. Easy to set up for newVery true... but I personally don't think we have the tools in place to help developers know about (or use) these security features... e.g. any feedback for a failed HPKP header?
> development, lots of tools out there to make it easier. script hashing
> and script noncing are awesome. I can even easily protect inline
> scripts now...
>
> Building complex websites is very tough. Security is just another
> engineering task... :)
https://code.google.com/p/chromium/issues/detail?id=445793
But either way, well done with using CSP... personally I'm still not sure about using inline JS with nonces/hashes as I don't want to block out older browsers.
Which reminds me, I need to find out which browser versions don't understand paths after the domain name, as I want to specify them, but will need to do some UA sniffing to strip the paths for them... I have a feeling it might be Firefox, where v34 seems to ignore the path (only working against the domain), but I think an earlier version dropped the whole thing (blocking everything).
But getting back to marking HTTP as non-secure... all of these features are useless without HTTPS (easy to strip the CSP header over HTTP)... and that's why the more generic solution seems to be the only way, especially as ianG points out, this is the perfect time to be doing this (not that I don't like your idea of alerting users about passwords, I just think there are too many ways around it to be effective).
Craig
> e.g. any feedback for a failed HPKP header?You mean the •experimental• HPKP headers that my friends in London
were using on their sites, discovered a few bugs, and submitted that
feedback directly to the Chrome developer over the holidays (who was
stoked for the feedback and is working on fixes), and we'll see those
updates in Chromium soon? Those headers?
:)
Every time a password field is sent over HTTP I cry a little on the
inside, but I will work through it somehow.... •wink•
Aloha,
--
Jim Manico
@Manicode
(808) 652-3805
On 7 Jan 2015, at 11:47, Jim Manico <jim....@owasp.org> wrote:Yep, but it is supposedly working in Chrome 39... or at least the pins appear in:
>> e.g. any feedback for a failed HPKP header?
>
> You mean the •experimental• HPKP headers that my friends in London
> were using on their sites, discovered a few bugs, and submitted that
> feedback directly to the Chrome developer over the holidays (who was
> stoked for the feedback and is working on fixes), and we'll see those
> updates in Chromium soon? Those headers?
>
> :)
chrome://net-internals/#hsts
Unfortunately I've got to get back to "real work" rather than getting a second signed certificate to check if the valid pins still block it (perhaps a bit expensive / time consuming for a little side project test).
But assuming they do, the feature is kind of implemented already :-)
Same here... but the same can be said about the session cookie that is used afterwards on HTTP, or the login form that was loaded over HTTP in the first place (even if the form action is set to a HTTPS URL), or the "AJAX" request that sends the login details over HTTP - because everything has to use JS now :-P
On 7 Jan 2015, at 11:47, Jim Manico <jim....@owasp.org> wrote:
> Every time a password field is sent over HTTP I cry a little on the
> inside, but I will work through it somehow.... •wink•
Craig
The experimental IETF Pinning headers in Chrome/Chromium are broken in
several ways, bugs have been submitted and it's being worked on. I can
put you in touch with the bug submitter if you like.
several ways, bugs have been submitted and it's being worked on. I can
put you in touch with the bug submitter if you like.
Aloha,
--
Jim Manico
@Manicode
(808) 652-3805
On Wed, Jan 7, 2015 at 4:40 AM, Jim Manico <jim....@owasp.org> wrote:Anything besides
> The experimental IETF Pinning headers in Chrome/Chromium are broken in
> several ways, bugs have been submitted and it's being worked on. I can
> put you in touch with the bug submitter if you like.
https://code.google.com/p/chromium/issues/detail?id=445793
?
I'm still crawling out from under holiday email load, so I might not
have seen all the new stuff yet.
On 1/7/15 4:40 AM, Jim Manico wrote:Have you tried the same thing in Firefox Beta? We may have a similar
> The experimental IETF Pinning headers in Chrome/Chromium are broken in
> several ways, bugs have been submitted and it's being worked on. I can
> put you in touch with the bug submitter if you like.
interpretation of the specs and have similar bugs.
https://www.mozilla.org/en-US/firefox/35.0beta/releasenotes/
-Dan Veditz
I'll pass this to my people and get back to you. Stoked that Firefox
is on route to supporting pinning!
is on route to supporting pinning!
Aloha,
--
Jim Manico
@Manicode
(808) 652-3805
Hi all, what is the status of this proposal? It calls out for a deployment plan in 2015, but that did not materialize. What is the latest? Thanks!
On Monday, January 25, 2016 at 8:44:35 PM UTC+1, clio...@mindspark.com wrote:Hi all, what is the status of this proposal? It calls out for a deployment plan in 2015, but that did not materialize. What is the latest? Thanks!
Regarding Chromium:
"""On Tuesday, during a presentation at the Usenix Enigma security conference in San Francisco, Google pushed the proposal out in the open with much more fanfare, and gave a sneak peek of how it’s going to look. (You can see the little red “x” on the padlock in the URL bar.)"""
Then there is this bug tracking the implementation https://code.google.com/p/chromium/issues/detail?id=578317
On Thu, Jan 28, 2016 at 8:46 AM, <jirka...@gmail.com> wrote:
On Monday, January 25, 2016 at 8:44:35 PM UTC+1, clio...@mindspark.com wrote:Hi all, what is the status of this proposal? It calls out for a deployment plan in 2015, but that did not materialize. What is the latest? Thanks!Regarding Chromium:"""On Tuesday, during a presentation at the Usenix Enigma security conference in San Francisco, Google pushed the proposal out in the open with much more fanfare, and gave a sneak peek of how it’s going to look. (You can see the little red “x” on the padlock in the URL bar.)"""
That article is inaccurate. That screenshot is from a presentation by Cloudflare, not Google, and does not constitute an announcement from Google. It's just what you can get by turning on the Mark Non-Secure Origins As Non-Secure flag in chrome://flags (which I added quite a while ago).
We'll announce something when we're ready, though.
On Friday, December 12, 2014 at 7:46:36 PM UTC-5, Chris Palmer wrote:
> Hi everyone,
>
>
> Apologies to those of you who are about to get this more than once, due to the cross-posting. I'd like to get feedback from a wide variety of people: UA developers, web developers, and users. The canonical location for this proposal is: https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure.
>
>
>
> Proposal
>
> We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015.
>
> The goal of this proposal is to more clearly display to users that HTTP provides no data security.
>
> Request
>
> We’d like to hear everyone’s thoughts on this proposal, and to discuss with the web community about how different transition plans might serve users.
>
> Background
>
> We all need data communication on the web to be secure (private, authenticated, untampered). When there is no data security, the UA should explicitly display that, so users can make informed decisions about how to interact with an origin.
>
> Roughly speaking, there are three basic transport layer security states for web origins:
>
> Secure (valid HTTPS, other origins like (*, localhost, *));
> Dubious (valid HTTPS but with mixed passive resources, valid HTTPS with minor TLS errors); and
> Non-secure (broken HTTPS, HTTP).
>
> For more precise definitions of secure and non-secure, see Requirements for Powerful Features and Mixed Content.
>
> We know that active tampering and surveillance attacks, as well as passive surveillance attacks, are not theoretical but are in fact commonplace on the web.
>
> RFC 7258: Pervasive Monitoring Is an Attack
> NSA uses Google cookies to pinpoint targets for hacking
> Verizon’s ‘Perma-Cookie’ Is a Privacy-Killing Machine
> How bad is it to replace adSense code id to ISP's adSense ID on free Internet?
> Comcast Wi-Fi serving self-promotional ads via JavaScript injection
> Erosion of the moral authority of transparent middleboxes
> Transitioning The Web To HTTPS
>
> We know that people do not generally perceive the absence of a warning sign. (See e.g. The Emperor's New Security Indicators.) Yet the only situation in which web browsers are guaranteed not to warn users is precisely when there is no chance of security: when the origin is transported via HTTP. Here are screenshots of the status quo for non-secure domains in Chrome, Safari, Firefox, and Internet Explorer:
>
>
>
>
>
>
>
>
>
> Particulars
>
> UA vendors who agree with this proposal should decide how best to phase in the UX changes given the needs of their users and their product design constraints. Generally, we suggest a phased approach to marking non-secure origins as non-secure. For example, a UA vendor might decide that in the medium term, they will represent non-secure origins in the same way that they represent Dubious origins. Then, in the long term, the vendor might decide to represent non-secure origins in the same way that they represent Bad origins.
>
> Ultimately, we can even imagine a long term in which secure origins are so widely deployed that we can leave them unmarked (as HTTP is today), and mark only the rare non-secure origins.
>
> There are several ways vendors might decide to transition from one phase to the next. For example, the transition plan could be time-based:
>
> T0 (now): Non-secure origins unmarked
> T1: Non-secure origins marked as Dubious
> T2: Non-secure origins marked as Non-secure
> T3: Secure origins unmarked
>
> Or, vendors might set thresholds based on telemetry that measures the ratios of user interaction with secure origins vs. non-secure. Consider this strawman proposal:
>
> Secure > 65%: Non-secure origins marked as Dubious
> Secure > 75%: Non-secure origins marked as Non-secure
> Secure > 85%: Secure origins unmarked
>
> The particular thresholds or transition dates are very much up for discussion. Additionally, how to define “ratios of user interaction” is also up for discussion; ideas include the ratio of secure to non-secure page loads, the ratio of secure to non-secure resource loads, or the ratio of total time spent interacting with secure vs. non-secure origins.
>
> We’d love to hear what UA vendors, web developers, and users think. Thanks for reading!
Bad idea; will promote "error blindness". Please be judicious in your attempts to use your product / platform as a mechanism to change the culture of the web.
There is little inherently "broken" about HTTP (without the "S"). It has security limitations which it's audience accepts. Over the years people have been trained to look for proactive signs of security (https, green lock, etc) when they are doing activities that are sensitive (email, banking transactions, etc).
You would be much better advised to create proactive mechanisms for detecting suspicious activity (man-in-the-middle attacks) and alerting when there really is a bonafide threat, as opposed to creating signal pollution in your UX.
I leave you with this:
http://image.shutterstock.com/z/stock-photo-street-intersection-congested-with-street-signs-57695734.jpg
> Hi everyone,
>
>
> Apologies to those of you who are about to get this more than once, due to the cross-posting. I'd like to get feedback from a wide variety of people: UA developers, web developers, and users. The canonical location for this proposal is: https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure.
>
>
>
> Proposal
>
> We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan for Chrome in 2015.
>
> The goal of this proposal is to more clearly display to users that HTTP provides no data security.
>
> Request
>
> We’d like to hear everyone’s thoughts on this proposal, and to discuss with the web community about how different transition plans might serve users.
>
> Background
>
> We all need data communication on the web to be secure (private, authenticated, untampered). When there is no data security, the UA should explicitly display that, so users can make informed decisions about how to interact with an origin.
>
> Roughly speaking, there are three basic transport layer security states for web origins:
>
> Secure (valid HTTPS, other origins like (*, localhost, *));
> Dubious (valid HTTPS but with mixed passive resources, valid HTTPS with minor TLS errors); and
> Non-secure (broken HTTPS, HTTP).
>
> For more precise definitions of secure and non-secure, see Requirements for Powerful Features and Mixed Content.
>
> We know that active tampering and surveillance attacks, as well as passive surveillance attacks, are not theoretical but are in fact commonplace on the web.
>
> RFC 7258: Pervasive Monitoring Is an Attack
> NSA uses Google cookies to pinpoint targets for hacking
> Verizon’s ‘Perma-Cookie’ Is a Privacy-Killing Machine
> How bad is it to replace adSense code id to ISP's adSense ID on free Internet?
> Comcast Wi-Fi serving self-promotional ads via JavaScript injection
> Erosion of the moral authority of transparent middleboxes
> Transitioning The Web To HTTPS
>
> We know that people do not generally perceive the absence of a warning sign. (See e.g. The Emperor's New Security Indicators.) Yet the only situation in which web browsers are guaranteed not to warn users is precisely when there is no chance of security: when the origin is transported via HTTP. Here are screenshots of the status quo for non-secure domains in Chrome, Safari, Firefox, and Internet Explorer:
>
>
>
>
>
>
>
>
>
> Particulars
>
> UA vendors who agree with this proposal should decide how best to phase in the UX changes given the needs of their users and their product design constraints. Generally, we suggest a phased approach to marking non-secure origins as non-secure. For example, a UA vendor might decide that in the medium term, they will represent non-secure origins in the same way that they represent Dubious origins. Then, in the long term, the vendor might decide to represent non-secure origins in the same way that they represent Bad origins.
>
> Ultimately, we can even imagine a long term in which secure origins are so widely deployed that we can leave them unmarked (as HTTP is today), and mark only the rare non-secure origins.
>
> There are several ways vendors might decide to transition from one phase to the next. For example, the transition plan could be time-based:
>
> T0 (now): Non-secure origins unmarked
> T1: Non-secure origins marked as Dubious
> T2: Non-secure origins marked as Non-secure
> T3: Secure origins unmarked
>
> Or, vendors might set thresholds based on telemetry that measures the ratios of user interaction with secure origins vs. non-secure. Consider this strawman proposal:
>
> Secure > 65%: Non-secure origins marked as Dubious
> Secure > 75%: Non-secure origins marked as Non-secure
> Secure > 85%: Secure origins unmarked
>
> The particular thresholds or transition dates are very much up for discussion. Additionally, how to define “ratios of user interaction” is also up for discussion; ideas include the ratio of secure to non-secure page loads, the ratio of secure to non-secure resource loads, or the ratio of total time spent interacting with secure vs. non-secure origins.
>
> We’d love to hear what UA vendors, web developers, and users think. Thanks for reading!
Bad idea; will promote "error blindness". Please be judicious in your attempts to use your product / platform as a mechanism to change the culture of the web.
There is little inherently "broken" about HTTP (without the "S"). It has security limitations which it's audience accepts. Over the years people have been trained to look for proactive signs of security (https, green lock, etc) when they are doing activities that are sensitive (email, banking transactions, etc).
You would be much better advised to create proactive mechanisms for detecting suspicious activity (man-in-the-middle attacks) and alerting when there really is a bonafide threat, as opposed to creating signal pollution in your UX.
I leave you with this:
http://image.shutterstock.com/z/stock-photo-street-intersection-congested-with-street-signs-57695734.jpg
On Fri, Jan 29, 2016 at 1:09 PM, <ric...@leapbeyond.com> wrote:
You would be much better advised to create proactive mechanisms for detecting suspicious activity (man-in-the-middle attacks) and alerting when there really is a bonafide threat
That is exactly what HTTPS is.
, as opposed to creating signal pollution in your UX.I leave you with this:
http://image.shutterstock.com/z/stock-photo-street-intersection-congested-with-street-signs-57695734.jpg
Currently, Chrome (and most other browsers) show only the equivalent of the traffic light. We propose to wire up the red lamp. (Recently, we unhooked the yellow lamp, precisely because a proliferation of signals confuses and annoys people: https://googleonlinesecurity.blogspot.com/2015/10/simplifying-page-security-icon-in-chrome.html)
There are no plans, at the moment, to add a No Skateboarding sign to Chrome.
This is absolutely great! And with many options for web site operators to obtain certs now, the timing couldn't be any better. Is there a graphic somewhere of what the new UX state will look like in Chrome? Has there been any discussion (or I guess, more to the point interest) with other browser vendors to unify the experience?
Chris,
I'm a big fan of this rather progressive move from Google over the "Marking HTTP As Non-Secure".
1) Do you have any plans to make this feature enabled by default in 2016?
2) Do you have any plans to coordinate the change with other browsers; at least FireFox?
Thanks again.
- Jim
PS: Regarding "There are no plans, at the moment, to add a No Skateboarding sign to Chrome" what about the "no parking on bridge" sign?
I'm a big fan of this rather progressive move from Google over the "Marking HTTP As Non-Secure".
1) Do you have any plans to make this feature enabled by default in 2016?
2) Do you have any plans to coordinate the change with other browsers; at least FireFox?
Thanks again.
- Jim
PS: Regarding "There are no plans, at the moment, to add a No Skateboarding sign to Chrome" what about the "no parking on bridge" sign?
On 29 January 2016 at 13:09, <ric...@leapbeyond.com> wrote:There is a ton of UI/UX research that people do not notice the absence
> There is little inherently "broken" about HTTP (without the "S"). It has security limitations which it's audience accepts. Over the years people have been trained to look for proactive signs of security (https, green lock, etc) when they are doing activities that are sensitive (email, banking transactions, etc).
of positive indicators. One can train as much as they want, but the
training has not worked to date.
--
Eitan Adler
On 29 January 2016 at 13:09, <ric...@leapbeyond.com> wrote:
> There is little inherently "broken" about HTTP (without the "S"). It has security limitations which it's audience accepts. Over the years people have been trained to look for proactive signs of security (https, green lock, etc) when they are doing activities that are sensitive (email, banking transactions, etc).
Also, "email" only in the last several years hit the point where it was generally considered "sensitive" and encrypted by default.
And it was Google then who led by enforcing HTTPS for Gmail in early 2010:
Most other companies didn't move until the potential dangers were made more viscerally real to them with Firesheep, which came out in October 2010.
And so now email is "sensitive" because of a combination of proactive and reactive leadership that changed the status quo. I don't remember feeling annoyed or worried about my webmail being served over plain HTTP in 2008. I didn't "accept" the security limitations -- I didn't understand them. Other people had to realize on my behalf that I was in danger, and I am glad that they did.
You may personally accept HTTP's security limitations, but that doesn't mean anyone is obligated to serve you plain HTTP, and it doesn't mean anyone ethically has to refrain from strongly incentivizing websites to give users the security they deserve.
-- Eric
There is a ton of UI/UX research that people do not notice the absence
of positive indicators. One can train as much as they want, but the
training has not worked to date.
--
Eitan Adler
--
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to securi...@chromium.org.
Hi Everyone,
I am new to posting, a former "Watcher" they put root in the corner, but I really do like the proposal so I felt compelled to write. In fact for the last couple of years, certain agencies/as well as bad actors, that I will not name have covertly been able to literally see what I see and go where I go when the pages are not secured. On one hand it helped US government agents take a ride with me to the dark side and provided them with information that they never would have been able to get or understand without me, to protect all of us from really bad actors, plots and more. I guess your a patriot if you give up your life for others, but I am not cut from their cloth so that doesn't jive well with me, it shouldn't be that way. Not anymore at least.
On the other hand bad actors would literally, see what I was seeing including my medical research, years of work used or sold by bad actors solely based on the pages I was viewing that were not secured, followed by redirecting me to terrorist websites. I ended up in jail for drugs I never bought but my credit card was used, a former agent ended up in jail, a very disturbing situation to say the least. He was from the "old school days" of law enforcement he didn't stand a chance and didn't deserve what he got because "the higher ups" didn't take the time to listen or understand that little person screaming at the top of her lungs. Very sad indeed. We have enough bad guys so when a good guy gets put away, it makes you wonder why your still a good guy.
The bad actors would create bogus letters based on the pages I would view, as a way of harassment find my location and mail me things to make me jump out of my skin, all of which a police officer would not be able to understand if you needed to go to them to fill out a report. A new brand of harassment and recruiting tool. Making a user believe law enforcement doesn't care, creating the illusion everything in the world is bad, the pop ups that redirect you to the sites they want you to see, after years of this type of surveillance and really psychological warfare, an impressionable teen or adult could easily become a victim or a recruit for them. All because the pages are not secure. In my experience bad actors don't go underground, they hide in plain site as in non-secured webpages with code in the script.
They have found ways to listen in on calls through my mic/phone... other bad actors would constantly send denial of service attacks, and implement MITM attacks on me, my banks and much more. Everyone said it couldn't be done with Chrome, I've been told to submit bugs, xyz... So for the last 5 years, I have been trying to find ways to secure Chrome. Privacy is now a luxury and its not free, despite all of the fake freedoms they say we have we just don't that's a fact so am grateful to your team and to the other user/developers on here. With DRTbox and Stingray, plus not knowing the integrity of the agent/officer, we all need to be secure. I can promise that when it comes to cyber they are years behind. When you need help they pretend the problem doesn't exist, (as in my case, until you become an asset to them).
Take a look at the command line below, this occurred over air with a different Chrome, without consent. While this was occurring, I noticed that I'd walk into a store, be it Best Buy, Office Max, or The Apple store for purchase while everyone is hooked up to "secure wifi", these bad actors send bad kernal code executions and more. Before you walk out the door after your purchase the damage is already done. My case is extreme, but it is being done.
/opt/google/chrome/chrome--enable-logging--gpu-sandbox-failures-fatalsys--ppapi-flash-(disable)args-enable_htv_video_decode=1--ppapi-flash-path=/opt/google/chrome/pepper/libpeplash/--ui-prioritze-in-gpu-process--use-cras--use-gl=egl--user-data-dir=/home/chronos--vmodule=screen_lockers=!webui_screen_locker=2, *ui/display/chromeos*=1,*1, *as/display*=1,*ui/ozone*=1,*zygote*=1*plugin*=2--ozone-platform=gbm--ozone-use-surfaceless-default-wallpaper-large=1usr/share/chromeos/-assets/wallpaper/oem_small.jpg --guest-assets/wallpaper/guest-small.jpg--max-tiles-for-interest-area=512--max-unused-resource-memory-usage-percentage=5--has-chromeos-keyboard --login-profile=user=bwsi--homepage-chrome://newtab/--incongnito--log-level=1 --login-user=$guest--obbe-guest-session--login-user=$guest--login-profile=f00cd7b941583--disable-sync--disable-extension--ozone-use *surfaceless
I wanted to take what I have been through to the next level and go to the Financial Times Security Summit, where the heads of most companies I have in one way or another been on the phone with, will be, this coming March. Having had in one way or another spoken to the heads of banks, healthcare providers, medical institutions, all of which have been tampered with and the credit bureaus, something needs to be done. My background is medical research, so I'd rather go to DC, to discuss other matters.....I am glad you are all on top of this, I wouldn't have survived the last 5 years if you were not. It is really hard explaining to friends and family what is really happening. Its the mindset that, if I ignore it long enough it will go away, or its just too crazy. We all have parents, so knowing what someone is possibly doing to them, is a painful site. So Thank you again!!!!!!!!! A million times.
I love the proposal, please keep me posted.
Thanks
Forsight
I am new to posting, a former "Watcher" they put root in the corner, but I really do like the proposal so I felt compelled to write. In fact for the last couple of years, certain agencies/as well as bad actors, that I will not name have covertly been able to literally see what I see and go where I go when the pages are not secured. On one hand it helped US government agents take a ride with me to the dark side and provided them with information that they never would have been able to get or understand without me, to protect all of us from really bad actors, plots and more. I guess your a patriot if you give up your life for others, but I am not cut from their cloth so that doesn't jive well with me, it shouldn't be that way. Not anymore at least.
On the other hand bad actors would literally, see what I was seeing including my medical research, years of work used or sold by bad actors solely based on the pages I was viewing that were not secured, followed by redirecting me to terrorist websites. I ended up in jail for drugs I never bought but my credit card was used, a former agent ended up in jail, a very disturbing situation to say the least. He was from the "old school days" of law enforcement he didn't stand a chance and didn't deserve what he got because "the higher ups" didn't take the time to listen or understand that little person screaming at the top of her lungs. Very sad indeed. We have enough bad guys so when a good guy gets put away, it makes you wonder why your still a good guy.
The bad actors would create bogus letters based on the pages I would view, as a way of harassment find my location and mail me things to make me jump out of my skin, all of which a police officer would not be able to understand if you needed to go to them to fill out a report. A new brand of harassment and recruiting tool. Making a user believe law enforcement doesn't care, creating the illusion everything in the world is bad, the pop ups that redirect you to the sites they want you to see, after years of this type of surveillance and really psychological warfare, an impressionable teen or adult could easily become a victim or a recruit for them. All because the pages are not secure. In my experience bad actors don't go underground, they hide in plain site as in non-secured webpages with code in the script.
They have found ways to listen in on calls through my mic/phone... other bad actors would constantly send denial of service attacks, and implement MITM attacks on me, my banks and much more. Everyone said it couldn't be done with Chrome, I've been told to submit bugs, xyz... So for the last 5 years, I have been trying to find ways to secure Chrome. Privacy is now a luxury and its not free, despite all of the fake freedoms they say we have we just don't that's a fact so am grateful to your team and to the other user/developers on here. With DRTbox and Stingray, plus not knowing the integrity of the agent/officer, we all need to be secure. I can promise that when it comes to cyber they are years behind. When you need help they pretend the problem doesn't exist, (as in my case, until you become an asset to them).
Take a look at the command line below, this occurred over air with a different Chrome, without consent. While this was occurring, I noticed that I'd walk into a store, be it Best Buy, Office Max, or The Apple store for purchase while everyone is hooked up to "secure wifi", these bad actors send bad kernal code executions and more. Before you walk out the door after your purchase the damage is already done. My case is extreme, but it is being done.
/opt/google/chrome/chrome--enable-logging--gpu-sandbox-failures-fatalsys--ppapi-flash-(disable)args-enable_htv_video_decode=1--ppapi-flash-path=/opt/google/chrome/pepper/libpeplash/--ui-prioritze-in-gpu-process--use-cras--use-gl=egl--user-data-dir=/home/chronos--vmodule=screen_lockers=!webui_screen_locker=2, *ui/display/chromeos*=1,*1, *as/display*=1,*ui/ozone*=1,*zygote*=1*plugin*=2--ozone-platform=gbm--ozone-use-surfaceless-default-wallpaper-large=1usr/share/chromeos/-assets/wallpaper/oem_small.jpg --guest-assets/wallpaper/guest-small.jpg--max-tiles-for-interest-area=512--max-unused-resource-memory-usage-percentage=5--has-chromeos-keyboard --login-profile=user=bwsi--homepage-chrome://newtab/--incongnito--log-level=1 --login-user=$guest--obbe-guest-session--login-user=$guest--login-profile=f00cd7b941583--disable-sync--disable-extension--ozone-use *surfaceless
I wanted to take what I have been through to the next level and go to the Financial Times Security Summit, where the heads of most companies I have in one way or another been on the phone with, will be, this coming March. Having had in one way or another spoken to the heads of banks, healthcare providers, medical institutions, all of which have been tampered with and the credit bureaus, something needs to be done. My background is medical research, so I'd rather go to DC, to discuss other matters.....I am glad you are all on top of this, I wouldn't have survived the last 5 years if you were not. It is really hard explaining to friends and family what is really happening. Its the mindset that, if I ignore it long enough it will go away, or its just too crazy. We all have parents, so knowing what someone is possibly doing to them, is a painful site. So Thank you again!!!!!!!!! A million times.
I love the proposal, please keep me posted.
Thanks
Forsight
I've followed most of this discussion with great interest. It is a good initiative, but have other alternatives been explored?
For instance, why a blacklist approach instead of a whitelist?
Why not a signal that certifies the name and activity of the company being reached? For example: [XXX Company | Bank] or [YYY Corp. | online retailer]
Simple signs are easy to understand by users, that is what I like of this initiative. However, you still need to enforce the message.
I'm sure for banks it would be easier to say:
* make sure that you see: [XXX Company | Bank] in your browser
Instead of follo all these "simple" tips to "make sure" you don't fall into a phishing scam:
1 - bla
2 - bla
3 -
...
10+
Of course, we could still rely on all that has been already built: digital certificates and connection encryption so that you can authenticate the site and protect the communications behind the scenes. We could even go further with schemes to digitally sign parts of the web page and do all sorts of checks (IP, DNS) to make sure that site corresponds to that company and that economic activity. The beauty is that the end user would still see a sign of trust from a company he/she most likely trusts already: the maker of the web browser.
Certificates were not designed to go this far. Nowadays criminals hack into legitimate sites and insert fake web pages in them; users still see the lock being closed and probably a trusted certificate. So even if the communication is secure and the site is correctly authenticated, they just don't know that they are getting into the right site. This scenario is difficult to solve with a blacklist approach.
Just an opinion,
Omar Herrera
For instance, why a blacklist approach instead of a whitelist?
Why not a signal that certifies the name and activity of the company being reached? For example: [XXX Company | Bank] or [YYY Corp. | online retailer]
Simple signs are easy to understand by users, that is what I like of this initiative. However, you still need to enforce the message.
I'm sure for banks it would be easier to say:
* make sure that you see: [XXX Company | Bank] in your browser
Instead of follo all these "simple" tips to "make sure" you don't fall into a phishing scam:
1 - bla
2 - bla
3 -
...
10+
Of course, we could still rely on all that has been already built: digital certificates and connection encryption so that you can authenticate the site and protect the communications behind the scenes. We could even go further with schemes to digitally sign parts of the web page and do all sorts of checks (IP, DNS) to make sure that site corresponds to that company and that economic activity. The beauty is that the end user would still see a sign of trust from a company he/she most likely trusts already: the maker of the web browser.
Certificates were not designed to go this far. Nowadays criminals hack into legitimate sites and insert fake web pages in them; users still see the lock being closed and probably a trusted certificate. So even if the communication is secure and the site is correctly authenticated, they just don't know that they are getting into the right site. This scenario is difficult to solve with a blacklist approach.
Just an opinion,
Omar Herrera
On 4 February 2016 at 15:28, <0h3r...@gmail.com> wrote:This is demonstrability unhelpful. UI/UX research has shown
> I've followed most of this discussion with great interest. It is a good initiative, but have other alternatives been explored?
>
> For instance, why a blacklist approach instead of a whitelist?
>
> Why not a signal that certifies the name and activity of the company being reached? For example: [XXX Company | Bank] or [YYY Corp. | online retailer]
>
> Simple signs are easy to understand by users, that is what I like of this initiative. However, you still need to enforce the message.
consistently that people do not notice the absence of positive
indicators.
Some things to read:
- Trust Me: Design Patterns for Constructing Trustworthy Trust Indicators
- The emperor’s new security indicators in Proceedings of the 2007
IEEE Symposium on Security and Privacy,.
- Use of Visual Security Cues in Web Browsers in Proceedings of the
2005 Conference on Graphics Interface
--
Eitan Adler
Thank you for your comments and the suggested references Eitan.
Sorry for touching on a topic that might have been heavily discussed in the past. I see your point now.
Still, from the references I see that simple but persistent security cues are still noticed by users (security lock is noted by 2/3 of people), even if they ignore their interactive capabilities.
Would a small set of simple and persistent security indicators have a different effect? The security lock signals a secure connection, but it does not certify the type of online transactions that user might do there with some degree of trust.
Let me rephrase my proposal:
3 small and persistent icons and a text field:
1) A lock (just like we have now)
2) A credit card - to indicate that this site is in a certified white list to do online shopping
3) A bag of coins with the dollar sign - to indicate that this site is in a certified list to do online banking transactions
Locks turn green when they satisfy the corresponding security indicators, otherwise they remain red (or even red and crossed).
The text field would contain a word with the certified brand name (for indicators 2 and 3). This might actually not be necessary, but I would still like to know what other things.
There we have a mix of both positive and negative indicators, that are simple, require no interaction from the user and are persistent.
Regards,
Omar
On Fri, Feb 5, 2016 at 7:49 AM, Omar Herrera Reyna <0h3r...@gmail.com> wrote:Thank you for your comments and the suggested references Eitan.Sorry for touching on a topic that might have been heavily discussed in the past. I see your point now.Still, from the references I see that simple but persistent security cues are still noticed by users (security lock is noted by 2/3 of people), even if they ignore their interactive capabilities.Would a small set of simple and persistent security indicators have a different effect? The security lock signals a secure connection, but it does not certify the type of online transactions that user might do there with some degree of trust.Let me rephrase my proposal:3 small and persistent icons and a text field:1) A lock (just like we have now)2) A credit card - to indicate that this site is in a certified white list to do online shopping3) A bag of coins with the dollar sign - to indicate that this site is in a certified list to do online banking transactionsLocks turn green when they satisfy the corresponding security indicators, otherwise they remain red (or even red and crossed).The text field would contain a word with the certified brand name (for indicators 2 and 3). This might actually not be necessary, but I would still like to know what other things.
I think that would be important: I'm not sure if the browsers want to get into the business of making these kind of attestations about websites, but I'll let them speak to that.
As you imply, there
are a variety of companies that are in that business - auditing websites and providing them with marks that are supposed to signal some level of trustworthiness in some domain. Those businesses do their best to develop their own brands and gain users trust. I assume they have a problem with misuse of their marks and I could see a role for browsers there: if a site is authenticated, the browser could reliably provide users with third-party attestations about the site: "this site has XYZ e-commerce certification", "this site has PQR malware-free status" etc. where is it XYZ and PQR, and not the browser, who are clearly responsible for the attestation. There we have a mix of both positive and negative indicators, that are simple, require no interaction from the user and are persistent.Regards,OmarOn Thu, Feb 4, 2016 at 8:26 PM, Eitan Adler <li...@eitanadler.com> wrote:On 4 February 2016 at 15:28, <0h3r...@gmail.com> wrote:
> I've followed most of this discussion with great interest. It is a good initiative, but have other alternatives been explored?
>
> For instance, why a blacklist approach instead of a whitelist?
>
> Why not a signal that certifies the name and activity of the company being reached? For example: [XXX Company | Bank] or [YYY Corp. | online retailer]
>
> Simple signs are easy to understand by users, that is what I like of this initiative. However, you still need to enforce the message.
This is demonstrability unhelpful. UI/UX research has shown
consistently that people do not notice the absence of positive
indicators.
Some things to read:
- Trust Me: Design Patterns for Constructing Trustworthy Trust Indicators
- The emperor’s new security indicators in Proceedings of the 2007
IEEE Symposium on Security and Privacy,.
- Use of Visual Security Cues in Web Browsers in Proceedings of the
2005 Conference on Graphics Interface
--
Eitan Adler
Thank you for your comments Mark,
I agree with you. These companies play an important role, and I think they can provide more value if they participate actively in an online validation process with the browser, and not just at the attestation.
For example, they could keep track of the customers activity and provide useful and neutral information for companies, users and authorities in cases of fraud.
They could also provide security services to users that only certain companies have internally, such as device tracking.
Regards,
Regards,
Omar
As both a user and sysadmin I really encourage this initiative.
One way to implement this that I think would make non-secure site more obvious and would enhance security would be to add a red border to any site or frame that isn't secure. Hovering the mouse over the border could identify what makes the site/frame non-secure.
An option to disable the borders per site could be added in the site permissions so that known sites wouldn't show the border and could be used for sites where the border affects functionality.
This should be a fairly simple function to code and I think it would be a lot more noticeable than just the address bar notifications. I think user education would be fairly easy too.
One way to implement this that I think would make non-secure site more obvious and would enhance security would be to add a red border to any site or frame that isn't secure. Hovering the mouse over the border could identify what makes the site/frame non-secure.
An option to disable the borders per site could be added in the site permissions so that known sites wouldn't show the border and could be used for sites where the border affects functionality.
This should be a fairly simple function to code and I think it would be a lot more noticeable than just the address bar notifications. I think user education would be fairly easy too.
I can image that there are concerns from content providers that there visitors might be scared by a visual indication of "non-secure". Even if these content providers offer their content via http:// and https:// a careless user is taken to http:// if he just enters the hostname in the URL bar as many consumers do.
If browsers could default to https for "scheme-less" entries in the URL bar (and fall back to http:// if there is no response), then visiting a non-secure page is an explicit choice of the end user. These users would more likely expect (and be used to) visual indicators for non-secure.
The problem is that there may be (and I saw some already) websites that sort of accidentally offer an HTTPS version (or offer it for the login screen only) and thus the site is not usable in HTTPS (due to HTTP script references and so on). The user will never know that it is a protocol issue.
If a website supports HTTPS, it should be responsible - automatically redirect to HTTPS and serve HTTPS with HTTP Strict Transport Security headers.
☆PhistucK
--You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to securi...@chromium.org.