- From: Willy Tarreau <w@1wt.eu>
- Date: Wed, 18 Jul 2012 08:18:39 +0200
- To: Mike Belshe <mike@belshe.com>
- Cc: Phillip Hallam-Baker <hallam@gmail.com>, "Adrien W. de Croy" <adrien@qbik.com>, Rajeev Bector <rbector@yahoo-inc.com>, Martin Thomson <martin.thomson@gmail.com>, Martin J. Dürst <duerst@it.aoyama.ac.jp>, Doug Beaver <doug@fb.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Tue, Jul 17, 2012 at 10:13:55PM -0700, Mike Belshe wrote: > > Mandating TLS in 2.0 will not provide an ounce of extra security > > unless you have a way to know who is running 2.0. And if you can do > > that you do not need the mandate. > > > > It's all negotiated in the handshake. You'll know who is TLS and who is > not. > > It does provide lots of better security. The internet cafe is the best > example. I know you're aware of Firesheep. We should make it impossible > to use firesheep in 2020. Right? Mike, till now you've made serious arguments. But quite frankly, firesheep is just a joke to send the usual summer end-of-the-world alert to the press. I think none of us knows anybody who's been victim of this, because where it would have mattered, TLS would have been used anyway. I'm concerned about the situations where users' security is really attacked, which is massive MITM using fake certs, massive bank accounts and credentials collection using malware, spyware returning your browsing history to ads vendors, and more recently malware running on smartphones to collect a lot of personal information. Mandating use of TLS is irrelevant to these real world issues and can only make them worse. However I agree it will feel good to say "hey look, now I can show you that firesheep doesn't see my cleartext password anymore", but what site would require me to send my password in cleartext over the net anyway ? Regards, Willy
Received on Wednesday, 18 July 2012 06:19:13 UTC