-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Jan 12, 2013, at 1:27 AM, ianG wrote:
> Oh, I see. So basically they are breaking the implied promise of the https
> component of the URL.
>
> In words, if one sticks https at the front of the URL, we are instructing the
> browser as our agent to connect securely with the server using SSL, and to
> check the certs are in sync.
>
> The browser is deciding it has a better idea, and is redirecting that URL to
> a cloud server somewhere.
>
> (I'm still just trying to understand the model. Yes, I'm surprised, I had
> never previously heard of this.)
I suppose you can look at it as "breaking the implied promise." You can also
look at it as a service.
Many of these systems work in an environment where connectivity is very
expensive. In such an environment, saving money by having someone filter your
HTTP comes with the cost that you have to trust them not to do bad things with
your data.
But if you get into a cab, you're trusting them not to drive you into oncoming
traffic. If that threat bothers you, don't take a cab. Every time you eat in a
restaurant, you're trusting them to have reasonable food safety practices and
not spit on your food. If that bothers you, don't do that.
>
>
>
>> That can be converted pictures, edits to the HTML proper, and so on.
>>
>> The security characteristics are a mixed bag. They can send smaller
>> pictures, scan for malware, but obviously they can't process your SSL
>> connections. So they send the URL to the cloud server, make the SSL
>> connection, and then send you the optimized page over SSL.
>
> One could interpret the browser as being a combined service between the
> client on the phone, and the cloud support services, sure.
>
> I think this interpretation would be unusual to any ordinary user. At a
> contractual level, it would also need to be agreed by both ends. We can
> easily ensure the end-users' agreement by means of the phone agreement, but
> it is less easy to imply the banks' agreement.
In some parts of the world and under some conditions, it's *usual*. The network
is bad and expensive. It's really easy for us rich Westerners who can afford
data roaming plans and travel SIMs to go into high dudgeon over it. I share
your disdain, but my disdain is similar to my disdain for payday check cashing
places etc. I don't approve. I understand, but I don't approve.
>
> And, if a security case were to result in a bank being held for damages, it
> could easily expand to Nokia. Given the complexity of modern day online
> banking sites (that's a kind description) I can't see how they could be agile
> enough to avoid making mistakes.
Sure. Nokia is taking a risk, as is Opera (who supply that browser). That risk
is mitigated by a click-through license that no one reads, but heck, someday
some judge is going to hack up a hairball on click-throughs.
>
> Yes, ok, it's not an attack if there isn't an attacker. Or more generally,
> is it an attack when the attack is done by self? "We have met the enemy, and
> he is us."
Exactly, and the answer is no. It's a service voluntarily offered and
subscribed to (for some suitable definition of the word "voluntary").
>
> So more properly, it might be a breach-of-contract issue, where the contract
> to provide a browser that does the 'right thing' has been breached (in the
> view of the outraged).
>
> Nokia will argue that their contract is clearly expressed, they can do this
> and they claim so in their contract. OK.
>
> Question remains -- what to make of a vendor that does tricksy things with
> the implied secure browsing contract?
Well, that's like the difference between a short-term loan person who does
something tricksy with the interest rate. There's a big smear from accepted to
dodgy to unfair to evil.
>
> If Nokia can do this, can the other vendors? Why can't Firefox and Chrome
> start clouding the https connection?
They could, sure. As I pointed out, Google Reader is almost the same sort of
thing, but is an RSS reader. I have quibbles with them, and my quibbles are
actually the opposite. Amazon Silk does pretty much the same thing as the
Nokia/Opera thing. A lot of pixels have been spilt over it. I don't use Silk,
but I don't think Amazon are evil for offering it. I don't think the people who
use it are either stupid or dupes. It's just not my thing.
(The quibble I have is over partial security. My quibble is that lots of
partial security systems label the partial security as being worse than no
security. I believe that partial security is always better than no security.)
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFQ8b6MsTedWZOD3gYRAvfNAKDU1sQjOqV+8SRzHWzg1sBYbGZ+tACgoFhi
78lRhcT0rG+0afgTRktaII4=
=TPRD
-----END PGP SIGNATURE-----
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
