W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Re[6]: HTTP2 Expression of Interest

From: Willy Tarreau <w@1wt.eu>
Date: Wed, 18 Jul 2012 08:18:39 +0200
To: Mike Belshe <mike@belshe.com>
Cc: Phillip Hallam-Baker <hallam@gmail.com>, "Adrien W. de Croy" <adrien@qbik.com>, Rajeev Bector <rbector@yahoo-inc.com>, Martin Thomson <martin.thomson@gmail.com>, Martin J. Dürst <duerst@it.aoyama.ac.jp>, Doug Beaver <doug@fb.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <20120718061839.GD5875@1wt.eu>
On Tue, Jul 17, 2012 at 10:13:55PM -0700, Mike Belshe wrote:
> > Mandating TLS in 2.0 will not provide an ounce of extra security
> > unless you have a way to know who is running 2.0. And if you can do
> > that you do not need the mandate.
> >
> 
> It's all negotiated in the handshake.  You'll know who is TLS and who is
> not.
> 
> It does provide lots of better security.  The internet cafe is the best
> example.  I know you're aware of Firesheep.  We should make it impossible
> to use firesheep in 2020.  Right?

Mike, till now you've made serious arguments. But quite frankly, firesheep
is just a joke to send the usual summer end-of-the-world alert to the press.
I think none of us knows anybody who's been victim of this, because where it
would have mattered, TLS would have been used anyway.

I'm concerned about the situations where users' security is really attacked,
which is massive MITM using fake certs, massive bank accounts and credentials
collection using malware, spyware returning your browsing history to ads
vendors, and more recently malware running on smartphones to collect a lot
of personal information.

Mandating use of TLS is irrelevant to these real world issues and can only
make them worse. However I agree it will feel good to say "hey look, now I
can show you that firesheep doesn't see my cleartext password anymore",
but what site would require me to send my password in cleartext over the
net anyway ?

Regards,
Willy
Received on Wednesday, 18 July 2012 06:19:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 18 July 2012 06:19:19 GMT