On 10/08/14 11:16 PM, David E. Ross wrote: > On 8/10/2014 4:09 PM, Matt Palmer wrote: >> On Sat, Aug 09, 2014 at 04:53:46PM -0700, David E. Ross wrote: >>> Anyone wishing to argue this issue further -- to argue in favor of >>> implementing a scheme to encourage all Web sites to be HTTPS with site >>> certificates -- should first read >>> <http://www.2rosenthals.net/wordpress/googles-https-everywhere-initiative-not-so-fast-994/>. >>> The blogger is a certificate reseller and also a computer systems >>> integrator. Thus, he is a professional in the area of computer systems, >>> including security. >> >> How do you get from "resells certificates and bolts parts together to "he is >> a professional in [...] security"? I won't deny that he is in the computer >> systems profession (in the very precise definition of "for a livelihood"), >> but beyond that, you're drawing an *exceptionally* long bow. >> >> - Matt >> > > I was a computer systems integrator for over 30 years. I fully > understand what "integrator" means. In my career, sopftware integration > often included dealing with secure systems and how they were made secure. > > Rosenthal is also a reseller of X.509 subscriber certificates, which > should mean he understands Internet security. Otherwise, how is he > allowed to sell such certificates? > > Add those two concepts together.
An appeal to authority isn't much of an argument. HTTPS and HSTS are still very important for an entirely static site. The alternative is allowing an attacker to masquerade as the site and leverage the trust it has built for malicious purposes. If it's a blog, the latest post may appear to be a link to the attacker's payload with a stellar review. Encryption is only half of the picture, as HTTP connections offer no way to assure the authenticity of the source. Informing users that the browser is unable to verify the authenticity of the source is not a bad thing. It's possible to have authenticated but unencrypted data for a use case like this, but it's best if the opportunity to screw up by making the wrong choice is not there in the first place. There's no compelling reason not to encrypt everything because it's so cheap.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
