W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: The TLS hammer and resource integrity

From: patrick mcmanus <pmcmanus@mozilla.com>
Date: Wed, 28 Mar 2012 23:59:06 +0200
Message-ID: <4F7389AA.6050005@mozilla.com>
To: ietf-http-wg@w3.org
On 3/28/2012 11:42 PM, Willy Tarreau wrote:
>
> Not necessarily but similarly we don't necessarily want to decide for
> the users that they need privacy where that really does not make sense
> for them. If you have a widget on your TV displaying a beautiful clock
> which looks nice in your living room, you don't care a dime that the
> time of day is retrieved over HTTP and that someone else can see the
> time you're seeing.

You might care that someone else knows that you are seeing it (and are 
therefore present and watching your tv). Domestic violence prevention 
advocates care about this stuff a lot - TLS makes it better without 
completely fixing it. (i.e. you can see that there is some activity but 
you might not be able to distinguish from other less identifying 
automatic activity, or cannot associate it with a cookie that would tell 
you who was using what appliance, etc..)

the content provider is in no position to make this decision about the 
user's privacy and is certainly not incented to care. I want to build a 
web that at least mitigates passive sniffing attacks - we can do that 
now.  The state of things when we make security optional is just 
embarrassing.
Received on Wednesday, 28 March 2012 21:59:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:57 GMT