[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] HTTPS Everywhere harmful

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] HTTPS Everywhere harmful
From: yan <yan@xxxxxxxxxxxxxx>
Date: Fri, 24 Apr 2015 23:10:11 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 25 Apr 2015 02:10:26 -0400
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:To:MIME-Version:From:Date:Message-ID; bh=BJrc4i4DRvgwt7Akod25sGRHG75lykZW2MveyDPJ2iU=; b=5/Iaj25h/xzwinTyZlxQrnXU8JqQ7UD5e2++pKlHiDVzuJogf2VH9Bi2vMFs0hYo49kXrcjPtpqi66wgJqZ54Ay+HxNNpRyEEUNthEDj+P6ZQk45NL6VwWcwcGKubk+gIFjod+ESW5qvIvCEWQMBDSznkaFm7w0187S11Np8PCQ=;
In-reply-to: <20150425030543.GG20018@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CAMZR1YAYXv1Nxo=MRfEdXi-A22cEFVx31aKVKPU_kZ9+JSxYvg@xxxxxxxxxxxxxx> <20150425030543.GG20018@xxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.6.0

To be clear, Tim is talking about "HTTPS Everywhere" in general, not thebrowser extension!


On 4/24/15 8:05 PM, Mike Perry wrote:

Maciej Soltysiak:

http://www.w3.org/DesignIssues/Security-NotTheS.html


The problem with his argument is that the web (and any protocol, really)
needs a way to demand a hard guarantee that a request must proceed over
a secure transport layer. If that layer is not available, the request
must fail. Anything short of that is opportunistic security, and by
definition not effective against an active attacker**.

We (the W3C technical architecture group) talked to TBL in person aboutthis yesterday. To be clear, in TBL's proposal, the HTTPS scheme stillexists and works as-is; it's just HTTP that changes.

I suspect what Tim Berners-Lee is actually annoyed with is Mixed Content
Blocking and its tendency to impede upgrade to HTTPS rather than
encourage it (due to blocking HSTS-upgraded URLs and addon redirect
HTTPS upgrades as if they were HTTP URLs, rather than allowing them to
be treated as first-class HTTPS urls). With that, I sympathize. Mixed
Content Blocking seems to be doing more harm than good in terms of
encouraging HTTPS transition, and has forced HTTPS-Everywhere to have to
disable thousands of HTTPS upgrade rules due to site breakage from
improperly blocked "Mixed Content".

Unfortunately, it seems that conflating the Mixed Content Blocking issue
with the HTTPS namespace issue will likely distract the standards
community long enough to delay development of proper solutions to HTTPS
migration (like an improved form of HSTS that addresses known issues
with Mixed Content Blocking: https://w3c.github.io/webappsec/specs/upgrade/).

I think you're right that a *lot* of TBL's frustration is from mixedcontent blocking, a sentiment which many of us share. The "UpgradeInsecure Requests" doc is a good start, but perhaps it could be moreaggressive with upgrades. Two ideas I left for Mike West on my review ofthe spec:

1. If a subresource is successfully upgraded on foo.com, remember thisand automatically upgrade subresources with the same host on bar.com inthe future.2. Make a header that lets a host indicate that it should be upgradedwhenever it's a subresource, regardless of whether the embedding pagehas set the CSP upgrade header. Sort of like HSTS if HSTS actuallyhappened *before* mixed content blocking.

Both of these can obviously be abused to fingerprint users,unfortunately (in the same way that HSTS can).

Forgive me if I do my best to avoid this distraction myself.


Forgiven. :)



** Sure, there could be a pile of new attribute flags that could be set
on every HTML resource tag that says the resource must use a "secure
http:" channel if the parent document happened to load over a secure
channel, but the net engineering effort of deploying that correctly far
exceeds the effort needed to mitigate the namespace fragmentation
issues that Tim Berners-Lee is seemingly so concerned about.




_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] HTTPS Everywhere harmful
  - From: Maciej Soltysiak
- Re: [tor-dev] HTTPS Everywhere harmful
  - From: Mike Perry

Prev by Author: Re: [tor-dev] Tor Summer of Privacy [ Incorporating ruleset testing into https-everywhere release process ]
Next by Author: Re: [tor-dev] Are DAC_OVERRIDE & CHOWN capabilities required for ControlSocket?
Previous by thread: Re: [tor-dev] HTTPS Everywhere harmful
Next by thread: Re: [tor-dev] HTTPS Everywhere harmful
Index(es):
- Author
- Thread