The W3C Technical Architecture Group (TAG) supports the pervasive use of strong end-to-end encryption for web communications. This includes the use of TLS for transport encryption as well as applications that enable user-to-user encryption.

Status of This Document

This document has been produced by the W3C Technical Architecture Group (TAG). The TAG approved this finding at its July 2015 F2F. Please send comments on this finding to the publicly archived TAG mailing list www-tag@w3.org (archive).

Why the TAG Supports Strong Encryption

The web is an interoperable, open platform that works because users trust it. Thanks to broadly available strong encryption, the World Wide Web has enabled an explosion of creativity and commerce, enabling millions of businesses and other organizations to maintain the user trust essential to their growth. This trust is fundamentally undermined by key escrow or deliberately weak encryption provisions.

As stated in [SECURING-WEB], the TAG strongly supports the use of HTTPS to assure users that the parties they're interacting with are really who they say they are, and that their communications have not been tampered with. Recent W3C specifications, such as [POWER] and [UPGRADE], seek to ease and encourage the path towards a fully encrypted web. This is crucial in light of recent end-user breaches of trust such as [PERMACOOKIE], a privacy violation by the network operator that would be impossible in an encrypted web. Likewise, attacks on credentials and other sensitive information such as demonstrated by [FIRESHEEP] are prevented by the ubiquitous use of TLS.

As other technical experts have written in [KEYS], it is impossible to build systems that can securely support "exceptional access" capabilities without breaking the trust guarantees of the web platform. Introducing such capabilities imposes known risks that far outweigh any hypothetical benefits.


Informative references

Eric Butler. Firesheep. URL: http://codebutler.com/firesheep/
Harold Abelson; Ross Anderson; Steven M. Bellovin; Josh Benaloh; Matthew Blaze; Whitfield Diffie; John Gilmore; Matthew Green; Peter G. Neumann; Susan Landau; Ronald L. Rivest; Jeffrey I. Schiller; Bruce Schneier; Michael Specter; Daniel J. Weitzner. Keys Under Doormats: mandating insecurity by requiring government access to all data and communications. URL: https://www.cl.cam.ac.uk/~rja14/Papers/doormats.pdf
Robert McMillan. Verizon's 'Perma-Cookie' Is a Privacy-Killing Machine. URL: http://www.wired.com/2014/10/verizons-perma-cookie/
Mike West; Yan Zhu. Secure Contexts. W3C Editor's Draft. URL: http://www.w3.org/TR/powerful-features/
Mark Nottingham. Securing the Web. Finding. URL: https://www.w3.org/2001/tag/doc/web-https
Mike West. Upgrade Insecure Requests. W3C Editor's Draft. URL: http://www.w3.org/TR/upgrade-insecure-requests/