[Cryptography] HTTP should be deprecated.

ianG iang at iang.org
Wed Nov 13 02:21:16 EST 2013 

On 12/11/13 08:25 AM, Eric Mill wrote:
> A few things are pretty clear:
>
> * Whether or not everything should be HTTPS, clearly more should be.


There is a fallacy that web stuff need not be encrypted then it should 
not be.  This is wrong, but it takes a bit of logic and circumstances 
and experiences to find out why, below.

(This is old boring stuff, people who've read my rants on it can ignore it.)


> * HTTPS has lots of problems and doesn't solve everything.

In short, HTTPS is vulnerable to MITM.  Not good.

In longer terms:  Web stuff is used for secure online ecommerce, or 
online banking.  In this mode, the browser and the server have to 
authenticate each other.  If HTTPS is some part of this authentication, 
then we face a problem:

An attacker can set up a false website that is under HTTP.  He can then 
redirect across to the real site.  This is an MITM against an online 
website.

Now, the browser and the server have to authenticate each other so that 
the above MITM doesn't work.  Guess what?  The server doesn't 
authenticate the client using HTTPS because that requires client certs 
and they are not used.  (Server uses passwords instead, see where this 
is going...).

Likewise, the client doesn't authenticate the server at all if it isn't 
using HTTP -- which is exactly the above MITM.  Instead, there is a sort 
of handwavy "user is supposed to spot the switch from HTTPS to HTTP" 
argument which makes no sense because (a) the user is trained to accept 
the entire authentication done by the browser if HTTPS is used (consider 
the case of one CA issuing another CA's cert) and (b) the chrome refuses 
to show enough details to make the users aware of what is happening.

IOW, the browser knows what it is doing, and it doesn't.

In the cryptographic literature this is known as a downgrade attack, but 
we prefer to label phishing as an MITM.  In military terms it is "attack 
at the juncture of the maps" and nobody will see it (coz it's on the 
other map you don't have).

The *only practical/business approach* to the MITM weakness in secure 
browsing is to make everything HTTPS.  This is strategic: only then will 
there be sufficient concentration on in-HTTPS MITMs to force the 
browsers to change their thinking about how they authenticate the servers.

Everything other work is futile while the downgrade attack exists.

Hence the project for HTTPS everywhere.  Coming to your browser since 
2005 [0].



> * HTTPS breaks some kinds of caching, and doesn't affect others.
> * CDNs charge waaayyyy more to serve your data as HTTPS. This affects
> the behavior of institutions that use CDNs.

Ya.  Broken.  Eggs 'n omelets.

> * Google and others are backing SPDY as the next HTTP 2.0, which would
> have TLS on for all traffic. Google cares about performance and
> efficiency more than anyone else on the Web, and they think TLS is just
> fine. SPDY/HTTP2 is built to extend the Web with lots of different
> performance gains.


Google wields a two-edged sword -- it is both the server (services) and 
the customer (webmail clients, etc) and the #2 browser supplier 
(therefore also the uber-CA) and hooked in deeply to the #1 server 
supplier.  It's practically every side of the HTTPS box that they find 
themselves in.  No-one else inhabits the HTTPS box like they do.

Those outside that box know were this is going...


> HTTP2 being all-TLS would effectively deprecate HTTP in favor of HTTPS.
> I think this is where the Web is going, and we should look at whatever
> downsides that would cause and start addressing them now.


There are many, e.g.:


>     The fact that the CA model is a mess and browsers depend on it is a
>     much bigger disadvantage.


Browsers should be enabling opportunistic upgrades, but they are not. 
If I was a CA I'd be terrified of where this is going.  I'd sell.

But in terms of overall benefit for users, if one just looks at the 
world of ecommerce and online banking, there is only one direction: 
HTTPS everywhere.



iang



[0] IIRC, we identified this logic back in 2005 and started the process 
to eliminate SSL v2 so as to use TLS to distro TLS/SNI so as to make it 
plausible to use mass SSL...

More information about the cryptography mailing list