Re: Mandatory encryption from Mike Belshe on 2012-07-18 (ietf-http-wg@w3.org from July to September 2012)

From: Mike Belshe <mike@belshe.com>
Date: Tue, 17 Jul 2012 19:30:15 -0700
To: Phillip Hallam-Baker <hallam@gmail.com>
Cc: Paul Hoffman <paul.hoffman@gmail.com>, grahame@healthintersections.com.au, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CABaLYCtynd1jQ88+yXyY6kEpqigBH2w3vuMo+tDmx72YMy0ReQ@mail.gmail.com>

Mandatory SSL is +1 and very forward thinking.

On Tue, Jul 17, 2012 at 6:22 PM, Phillip Hallam-Baker <hallam@gmail.com>wrote:

> -1
>
> I don't want to have a mandatory requirement unless it is going to
> change behavior.

I don't think we can change behavior with protocols.  All we can do is
offer new features.  If the features are compelling, people will upgrade.
 If the features are not compelling, they won't.

People used to tell me SPDY would never get people to "upgrade".  Even
after touching a half a billion users, people still tell me that.  I think
the evidence of adoption speaks for itself.

>
> We already have ubiquitous deployment of TLS in browsers. The code is
> freely available, everyone knows the benefit.
>
> The only HTTP servers or clients I am aware of that don't have TLS
> support are either toolsets that the provider expects to be used with
> OpenSSL or the like and embedded systems.
>

I'll ask the google crawler guys to weigh in on this.  They have pretty
good stats.  I believe your assertion is provably false.

>
> Incidentally, suport for IPSEC is mandatory in IPv6 but that does not
> seem to do any good either. It just means that IPv6 is harder to
> deploy as implementations are required to support a security layer
> almost nobody uses as TLS has proved better.
>
>
> Making TLS a mandatory requirement seems like a feelgood approach to
> security to me. Instead of doing something useful, we pass a
> resolution telling people to do what they plan to do anyway.
>

You imply there is something else that would be useful - what would it be?
 (don't feel obliged to answer :-)

To me mandating security is a great first step.  Nobody should think this
'fixes' security. But if we believe the net ever needs to be secure, we
need to start taking steps toward that.

Mandating SSL is a simple step we can take which solves most of the
eavesdropping problem right now.  But more importantly, it poises us to
address the next set of security issues, including CA/verification
problems,  distribution of video over ssl, handshake latency, etc.  Until
we start trying to be secure, of course we'll never be secure.

Mike

>
>
> On Tue, Jul 17, 2012 at 8:51 PM, Paul Hoffman <paul.hoffman@gmail.com>
> wrote:
> > +1 to what seems to be a lot of developers: make TLS mandatory.
> >
> >>  so, even when used in an internal application protocol, it's going to
> >>  be end to end
> >>  encrypted to make it super hard to debug?
> >
> > In an internal application protocol, why would it be "super hard to
> > debug"? The client can do an HTTP dump before TLS, the server can do
> > an HTTP dump after TLS; either of the sides could debug the TLS.
> >
> >>  http is about more than users using
> >>  web browsers.
> >
> > Completely true, and not relevant. Insecure HTTP for non-browser
> > applications still has the same bad properties, no?
> >
>
>
>
> --
> Website: http://hallambaker.com/
>
>

Received on Wednesday, 18 July 2012 02:30:43 UTC