Tuesday, August 24, 2010

Feeling Unsafe About http://

On the WebSockets mailing list, there is a heated discussion going on about whether or not WebSockets should be deployed over TLS (aka “https”) or not.  The common misconceptions about TLS arise, of course.  But it has become increasingly clear that most people view protocol security completely backwards, because of HTTP.  (Thanks to Jim Roskind for crystallizing this)
Today, we view the web as two protocols:unlocked
  • HTTP:  The protocol of the web
  • HTTPS: The secure version of HTTP.  Cool!
But we should think of it like this:
  • HTTPS: The protocol of the web
  • HTTP: The insecure version of HTTPS.  Yikes!
We shouldn’t feel safe when we use https.  We should feel unsafe when we use http.
Our vantage point is backwards because we started with the notion that security is an “add on”.  In today’s hostile networking environment, nothing could be further from the truth.  Security is not a feature, but a requirement.  Offering an “insecure” version for those that want to play risky should be the optional feature.  This just becomes more true when you think of the fact that new protocols will be in use 10 years from now…

No comments: