W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

Re: breaking TLS (Was: Re: multiplexing -- don't do it)

From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Date: Fri, 6 Apr 2012 14:33:29 +0000 (UTC)
To: ietf-http-wg@w3.org
Message-ID: <loom.20120406T162149-339@post.gmane.org>
Amos Jeffries <squid3@...> writes:

> IME admin are usually not that eager to do MITM on TLS.

Yes there are all sorts of unpleasant legal risks involved

> It is required by policy makers who just want to publish tick-box policies 

It is required to authenticate proxy users now that popular sites are moving to
ssl, since no one has defined a reliable way to do it without breaking tls.

And then once the system is in place who will vouch it won't be abused for
corporate follies?

It is *very* dangerous to make encryption an all-or-nothing proposal. That makes
it an everyone-has-a-reason-to-break-it system, which means it *will* be broken,
even in the cases it's perfectly justified.

If you want to add security to browsing make *very* sure there is little reason
for legal-abiding entities to break it, or they will finance and build the tools
criminals will use. That means using encryption sparingly, not as a blanket
system.
Received on Friday, 6 April 2012 14:34:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:59 GMT