W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

Re: breaking TLS (Was: Re: multiplexing -- don't do it)

From: (wrong string) 陈智昌 <willchan@chromium.org>
Date: Fri, 6 Apr 2012 16:43:07 +0200
Message-ID: <CAA4WUYjBegh88MFzzbt2J2oNnwaTbme6hWibHQgXxbAyasXsig@mail.gmail.com>
To: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Cc: ietf-http-wg@w3.org
On Fri, Apr 6, 2012 at 4:33 PM, Nicolas Mailhot <nicolas.mailhot@laposte.net
> wrote:

> Amos Jeffries <squid3@...> writes:
>
> > IME admin are usually not that eager to do MITM on TLS.
>
> Yes there are all sorts of unpleasant legal risks involved
>
> > It is required by policy makers who just want to publish tick-box
> policies
>
> It is required to authenticate proxy users now that popular sites are
> moving to
> ssl, since no one has defined a reliable way to do it without breaking tls.
>
> And then once the system is in place who will vouch it won't be abused for
> corporate follies?
>
> It is *very* dangerous to make encryption an all-or-nothing proposal. That
> makes
> it an everyone-has-a-reason-to-break-it system, which means it *will* be
> broken,
> even in the cases it's perfectly justified.
>
> If you want to add security to browsing make *very* sure there is little
> reason
> for legal-abiding entities to break it, or they will finance and build the
> tools
> criminals will use. That means using encryption sparingly, not as a blanket
> system.
>


This logic makes no sense to me. I disagree strongly.
Received on Friday, 6 April 2012 14:43:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:59 GMT