[webvr] WebVR to go HTTPS only

Florian Bösch pyalot at gmail.com
Wed Jul 13 07:45:36 UTC 2016


A thread was posted at the public-webvr at w3.org by Brandon Jones about WebVR
going HTTPS only.

http://lists.w3.org/Archives/Public/public-webvr/2016Jul/0000.html

I take a principled objection against this for the following reasons:

   - Using or not using SSL for transport should be up to the website
   author, and it's not the business of UA vendors to dictate that choice.
   - The certificate authority infrastructure is far from perfect, and for
   various reasons (security, cost, performance, politics, censorship,
   centralization, etc.) some may not wish to have anything to do with it.
   - Depending on the usecase, the performance of SSL can be a serious
   issue (where it's not just half or a quarter as fast, but thousands of
   times slower).
   - SSL libraries by far and large are opaque blobs of not well understood
   code, and are hard to integrate. This isn't an appropriate way to build a
   "secure web".
   - Certificate authorities by far and large are overpriced and their
   services are not well specified. The few free ones that exist offer
   services that are awkward to use, and expose users and website authors to
   substantial additional risk of fraud, identity theft, website theft,
   certificate authority exploit and centralization.

I also take a specific objection against the assertions made in that
message, specifically quoting Brandon:

We are, in effect, giving sites the ability to take over not just your
> cursor

No you are not. The gaze direction has nothing todo with your cursor. You
can't "override" the gaze without making the user puke. Verdict: vapid
ideological nonsense propaganda


> or your screen

You're already giving the web power to "take over your screen". It's called
"writing a webpage". Verdict: vapid ideological nonsense propaganda


> but completely override one of your senses.

You do not override a sense, you're wearing a HMD. A user can always take
off his HMD. Verdict: vapid ideological nonsense propaganda


> It's prudent for us to
> ensure the digital reality we deliver

You don't deliver anything. Website authors deliver. Verdict: vapid
ideological nonsense propaganda


> to users is authenticated,
>
SSL does nothing for authentication. Verdict: vapid ideological nonsense
propaganda


> integrity-checked,

SSL may do that in some special circumstances (website is modified by ISP
to inject ads for instance). However, WebVR is delivered programmatically
by JS. The effort to analyze a specific JS codebase, reverse engineer its
rendering, inject your VR-ads code, and keep it working with the WebVR page
as is is so idiotically high, nobody's going to do that. Verdict: vapid
ideological nonsense propaganda


> and confidential.

If a website wants to be confidential or fast should be up to the website
author, and it's not your place to make that decision. Verdict: vapid
ideological nonsense propaganda

Grade: F for fucking bullshit.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/web-vr-discuss/attachments/20160713/5a69b6ba/attachment.html>


More information about the web-vr-discuss mailing list