W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

Re: breaking TLS (Was: Re: multiplexing -- don't do it)

From: Mike Belshe <mike@belshe.com>
Date: Fri, 6 Apr 2012 15:30:27 +0000
Message-ID: <CABaLYCugwucMQ6c=RbxbxPUoTaMrGi1R_5bVqBEKSmZwE6toCQ@mail.gmail.com>
To: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Cc: "William Chan (陈智昌)" <willchan@chromium.org>, ietf-http-wg@w3.org
On Fri, Apr 6, 2012 at 3:19 PM, Nicolas Mailhot <nicolas.mailhot@laposte.net
> wrote:

>
> Le Ven 6 avril 2012 16:43, William Chan (陈智昌) a écrit :
>
> >> If you want to add security to browsing make *very* sure there is little
> >> reason
> >> for legal-abiding entities to break it, or they will finance and build
> the
> >> tools
> >> criminals will use. That means using encryption sparingly, not as a
> blanket
> >> system.
>
> > This logic makes no sense to me. I disagree strongly.
>
> I'm not making a logic point, I'm stating how things are moving now, from
> direct experience. People have been blindly pushing for https everywhere
> those
> past years without handling the pain points this caused to corporations,
> and
> as a results lots of proxy providers are getting fat sums to break this
> encryption now
>

This sounds great to me.  If it gets broken, we'll fix it.  No point in
pretending it is secure if it is really not.

I expect a lot of innovation in the CA verification / trust arena in the
next few years.  If you keep up on that side of the world - you'll see
there is a lot that can change very soon.  But this is a bit orthogonal to
HTTP/2.0.

Mike




>
> (and btw browsers and google are not the only ones to blame, vendors like
> Citrix that have told IT it could just tunnel citrix through https and
> network
> admins would be none the wiser helped quite a lot too)
>
> --
> Nicolas Mailhot
>
>
>
Received on Friday, 6 April 2012 15:30:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:59 GMT