« On technical writers and their wives | Main | Apache Security Model »

January 31, 2009

The worst idea ever: Let's break SSL for mobile users

This is definitely the scariest and stupidest idea I have heard in a very long time: some people on the W3C Mobile Web Best Practices Working Group think that is acceptable to break SSL—the security backbone of the Internet—in order to help transcoding proxies reformat content for mobile users:

This just demonstrates one of the reasons we suck at security: small groups of people who do not really know what they are doing wield significant power and affect millions. It's like year 2000 all over again. We are lucky when in some cases (such as in this one) there are informed people willing to stand for what's right.

Posted by Ivan Ristić at 14:59:04 in SSL

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e54fd889f28834010536fcf7e9970b

Listed below are links to weblogs that reference The worst idea ever: Let's break SSL for mobile users:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

note that the email quoted in the article to which you refer opens with the statement: "I haven’t read the specs, but [...]".

note also that there is a spirited discussion going on at W3C which, in part, includes a strong *defense* of the idea that transcoding proxies should leave HTTPS URIs alone. the assertions about what is happening are just plain inaccurate.

please do read the doc linked to at http://chw.rit.edu/blog before you come to conclusions, and please leave comments at CHW so your input can be attended to... that was the idea of the original discussion: making sure W3C hears from lots of informed people about this and other issues related to the Mobile Web.

jeffs

Posted by: Jeff Sonstein | January 31, 2009 at 05:20 PM

Hi Jeff,

I was commenting on the desire (of some members of the group) and the discussion, which I've read in full before commenting. I wrote that "some people [...] think that it is acceptable to break SSL", and that seems pretty accurate to me. To me, just the fact that such a discussion is taking place is bad enough. Hence my comment.

Thank you for the link to the Mobile Web Application Best Practices draft. I will be happy to read and comment on it. If you want to seek input from security-minded people, the best thing to do is post to the Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

Posted by: Ivan Ristić | January 31, 2009 at 06:15 PM

The comments to this entry are closed.

MY WORK

IronBee is the next generation web application firewall engine, and it's open source too.
ModSecurity Handbok cover
ModSecurity Handbook is the definitive guide to the world's most popular web application firewall.
Apache Security cover
Apache Security is the complete guide to securing your Apache web server.
SSL Labs offers a comprehensive SSL security assessment consisting of 250+ checks. To start, enter your domain name below:

ABOUT ME

Ivan Ristić is an open source advocate, entrepreneur, writer, programmer and web security specialist. He is the principal author of ModSecurity, the open source web application firewall, and the author of Apache Security, a concise yet comprehensive web security guide for the Apache web server.   [LinkedIn Profile]

My Photo

TWITTER

@ivanristic

    Categories

    Archives

    FEEDS