[tor-dev] HTTPS Everywhere harmful

Ian Goldberg iang at cs.uwaterloo.ca
Sat Apr 25 08:13:03 UTC 2015

On Fri, Apr 24, 2015 at 08:05:43PM -0700, Mike Perry wrote:
> ** Sure, there could be a pile of new attribute flags that could be set
> on every HTML resource tag that says the resource must use a "secure
> http:" channel if the parent document happened to load over a secure
> channel, but the net engineering effort of deploying that correctly far
> exceeds the effort needed to mitigate the namespace fragmentation
> issues that Tim Berners-Lee is seemingly so concerned about.

But just as, as you point out, it is useful for the linker to be able to
say "hard fail if you don't have an _authenticated_ secure channel"
("https://"), even in a world where plain "http://" means "an encrypted
but possibly unauthenticated channel", the linker may also want to say
things like "hard fail unless the cert is issued by Foo" or "hard fail
unless the cert/pubkey has hash abc123" or "hard fail unless it's an EV
cert" (for whatever that's worth).

Right now, that "s" means "give an annoying warning if there's not a
blessed cert, and hard fail if there's no encryption at all", which is
rarely the semantics people actually intend.

With HTTP/2 and Let's Encrypt and Chrome suggesting that the annoying
warning will start appearing for all unencrypted sites in the medium
future, automated DV certs should soon be the minimum "you have to be
this tall to play on this Internet" (mumble servers without names
mumble), but it may still be useful to distinguish security levels above
the minimum in some cases.

   - Ian

More information about the tor-dev mailing list