W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Mandatory encryption

From: J Ross Nicoll <jrn@jrn.me.uk>
Date: Wed, 18 Jul 2012 08:47:10 +0100
Message-ID: <500669FE.5080107@jrn.me.uk>
To: Willy Tarreau <w@1wt.eu>
CC: Phillip Hallam-Baker <hallam@gmail.com>, Paul Hoffman <paul.hoffman@gmail.com>, grahame@healthintersections.com.au, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>


On 18/07/2012 07:09, Willy Tarreau wrote:
>> Making TLS a mandatory requirement seems like a feelgood approach to
>> security to me. Instead of doing something useful, we pass a
>> resolution telling people to do what they plan to do anyway.
> Agreed. As I already said multiple times, sensible services requiring
> privacy are already secured by TLS and it does not save them from being
> tampered. But with TLS everywhere, we'll make the situation worse by
> accustoming users to click all the day on "I accept the risks..." when
> connecting to most of the poorly managed sites including the self-signed
> equipments they run at home.
>
> I'm really against making such a thing mandatory because it will only
> improve privacy on a few services which actually do not need it and will
> globally deteriorate the overall security by lowering the level of control
> of users.
>
Agreed from here too; we run the risk of turning HTTP 2.0 into a 
debacle. People running small blogs/sites/whatever will not understand 
why security is important, and will not want to bother with 
certificates. Their hosting providers will go where their customers 
want, not where we want, and will remain on HTTP 1.1 indefinitely. Even 
if they did move, I'd expect to see rampant use of self-signed, or worse 
snake-oil certificates ("Need files for that weird thing you don't 
understand that your hosting provider keeps asking about? Here, you can 
download ones I made for you..."), followed by a culture of ignoring 
warnings on those certificates (and I would be extremely surprised if we 
didn't see browser extensions to click-through the warnings automatically).

I see the queries that come to the helpdesk, and how much we struggle 
just to stop users from e-mailing their passwords to everyone who fakes 
a vaguely credible looking message from IT, the thought of trying to 
teach everyone about proper encrypted communication is somewhere between 
nightmarish and hopeless IMHO.

In terms of countries banning technologies that don't allow them to 
monitor their citizen's communication, I give you India and Blackberry: 
http://www.bbc.co.uk/news/business-11131330
Received on Wednesday, 18 July 2012 07:47:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 18 July 2012 07:47:47 GMT