Re: WS/Service Workers, TLS and future apps - [was Re: HTTP is just fine]

2015-11-30 Thread Aymeric Vitte
Not sure that you know what you are talking about here, maybe influenced by fb's onion things, or you misunderstood what I wrote. I am not talking about the Tor network, neither the Hidden services, I am talking about the Tor protocol itself, that's different and it is known to be strong, but

Re: WS/Service Workers, TLS and future apps - [was Re: HTTP is just fine]

2015-11-30 Thread Richard Barnes
On Mon, Nov 30, 2015 at 4:39 PM, Aymeric Vitte wrote: > Not sure that you know what you are talking about here, maybe influenced > by fb's onion things, or you misunderstood what I wrote. > > I am not talking about the Tor network, neither the Hidden services, I > am

WS/Service Workers, TLS and future apps - [was Re: HTTP is just fine]

2015-11-30 Thread Aymeric Vitte
Redirecting this to WebApps since it's probable that we are facing a design mistake that might amplify by deprecating non TLS connections. I have submitted the case to all possible lists in the past, never got a clear answer and was each time redirected to another list (ccing webappsec but as a

Re: WS/Service Workers, TLS and future apps - [was Re: HTTP is just fine]

2015-11-30 Thread Brad Hill
I don't think there is universal agreement among browser engineers (if anyone agrees at all) with your assertion that the Tor protocol or even Tor hidden services are "more secure than TLS". TLS in modern browsers requires RSA 2048-bit or equivalent authentication, 128-bit symmetric key

RE: WS/Service Workers, TLS and future apps - [was Re: HTTP is just fine]

2015-11-30 Thread Crispin Cowan
“Secure against which threats?” is the question. TLS, with its stronger crypto, is more secure against an adversary that wants to read the content of your messages. ToR is more secure against an adversary that wants to detect that you visit a particular site, are associated with particular

Re: WS/Service Workers, TLS and future apps - [was Re: HTTP is just fine]

2015-11-30 Thread Richard Barnes
On Mon, Nov 30, 2015 at 5:52 PM, Aymeric Vitte wrote: > You must be kidding, the logjam attack showed the complete failure of > TLS Sure, protocols have bugs, and bugs get fixed. The things we require for HTTPS aren't even design goals of Tor. > and your 1/2/3

Re: WS/Service Workers, TLS and future apps - [was Re: HTTP is just fine]

2015-11-30 Thread Aymeric Vitte
What are you talking about? The logjam attack just shows that you (spec security experts of major internet companies) are incompetent, or just knew about it. You don't know Tor "plenty well", I am not referring at all to hidden services, the fb case, or the ridiculous related case of a https

Re: WS/Service Workers, TLS and future apps - [was Re: HTTP is just fine]

2015-11-30 Thread Florian Bösch
On Mon, Nov 30, 2015 at 10:45 PM, Richard Barnes wrote: > 1. Authentication: You know that you're talking to who you think you're > talking to. > And then Dell installs a their own root authority on machines they ship, or your CA of choice gets pwn'ed or the NSA uses some

Re: WS/Service Workers, TLS and future apps - [was Re: HTTP is just fine]

2015-11-30 Thread Aymeric Vitte
You must be kidding, the logjam attack showed the complete failure of TLS and your 1/2/3 (notwithstanding the useless discussions about CAs & co), which does not apply to the Tor protocol that you don't know apparently but that fulfills 1/2/3 I am not a Tor advocate, this is just an example

Re: WS/Service Workers, TLS and future apps - [was Re: HTTP is just fine]

2015-11-30 Thread Jim Manico
How about the many of the Tor endpoints being compromised? Does that show a complete failure of Tor? I would say no. http://www.ibtimes.co.uk/tor-anonymity-network-compromised-following-potential-raid-by-law-enforcement-agencies-1480620 Most folks who really care about this stuff use Tor and

Re: Meeting date, january

2015-11-30 Thread Chaals McCathie Nevile
On Tue, 01 Dec 2015 00:15:23 +1000, Léonie Watson wrote: From: Chaals McCathie Nevile [mailto:cha...@yandex-team.ru] Sent: 26 November 2015 01:55 it appears that there are some people may not be able to attend a meeting on the 29th - although Apple has

Re: WS/Service Workers, TLS and future apps - [was Re: HTTP is just fine]

2015-11-30 Thread Brad Hill
Let's keep this discussion civil, please. The reasons behind blocking of non-secure WebSocket connections from secure contexts are laid out in the following document: http://www.w3.org/TR/mixed-content/ A plaintext ws:// connection does not meet the requirements of authentication, encryption

Re: CfC: Is Web Workers Ready for CR? deadline Dec 14

2015-11-30 Thread Boris Zbarsky
On 11/30/15 8:31 AM, Xiaoqian Wu wrote: The latest [TEST RESULTS] of Web Workers indicate that Dedicated Workers have been widely implemented by the major browser vendors. Compatibly? Last I checked, for example, Blink doesn't support Dedicated Workers inside workers, only inside Window. I

Re: CfC: Is Web Workers Ready for CR? deadline Dec 14

2015-11-30 Thread Xiaoqian Wu
> On 30 Nov 2015, at 10:02 PM, Boris Zbarsky wrote: > > On 11/30/15 8:31 AM, Xiaoqian Wu wrote: >> The latest [TEST RESULTS] of Web Workers indicate that Dedicated Workers >> have been widely implemented by the major browser vendors. > > Compatibly? Last I checked, for

Re: CfC: Is Web Workers Ready for CR? deadline Dec 14

2015-11-30 Thread Ms2ger
On 11/30/2015 02:31 PM, Xiaoqian Wu wrote: > This is a call for comments regarding the next step of Web Workers. > > The latest [TEST RESULTS] of Web Workers indicate that Dedicated > Workers have been widely implemented by the major browser vendors. > > [Diff] between the latest W3C WD and the

RE: Meeting date, january

2015-11-30 Thread Léonie Watson
> From: Chaals McCathie Nevile [mailto:cha...@yandex-team.ru] > Sent: 26 November 2015 01:55 > it appears that there are some people may not be able to attend a meeting > on the 29th - although Apple has generously offered to host that day. > > Is there anyone who would only be able to attend if

CfC: Is Web Workers Ready for CR? deadline Dec 14

2015-11-30 Thread Xiaoqian Wu
This is a call for comments regarding the next step of Web Workers. The latest [TEST RESULTS] of Web Workers indicate that Dedicated Workers have been widely implemented by the major browser vendors. [Diff] between the latest W3C WD and the WHATWG living standard suggests substantial changes