- From: J Ross Nicoll <jrn@jrn.me.uk>
- Date: Wed, 18 Jul 2012 08:47:10 +0100
- To: Willy Tarreau <w@1wt.eu>
- CC: Phillip Hallam-Baker <hallam@gmail.com>, Paul Hoffman <paul.hoffman@gmail.com>, grahame@healthintersections.com.au, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 18/07/2012 07:09, Willy Tarreau wrote:
>> Making TLS a mandatory requirement seems like a feelgood approach to
>> security to me. Instead of doing something useful, we pass a
>> resolution telling people to do what they plan to do anyway.
> Agreed. As I already said multiple times, sensible services requiring
> privacy are already secured by TLS and it does not save them from being
> tampered. But with TLS everywhere, we'll make the situation worse by
> accustoming users to click all the day on "I accept the risks..." when
> connecting to most of the poorly managed sites including the self-signed
> equipments they run at home.
>
> I'm really against making such a thing mandatory because it will only
> improve privacy on a few services which actually do not need it and will
> globally deteriorate the overall security by lowering the level of control
> of users.
>
Agreed from here too; we run the risk of turning HTTP 2.0 into a
debacle. People running small blogs/sites/whatever will not understand
why security is important, and will not want to bother with
certificates. Their hosting providers will go where their customers
want, not where we want, and will remain on HTTP 1.1 indefinitely. Even
if they did move, I'd expect to see rampant use of self-signed, or worse
snake-oil certificates ("Need files for that weird thing you don't
understand that your hosting provider keeps asking about? Here, you can
download ones I made for you..."), followed by a culture of ignoring
warnings on those certificates (and I would be extremely surprised if we
didn't see browser extensions to click-through the warnings automatically).
I see the queries that come to the helpdesk, and how much we struggle
just to stop users from e-mailing their passwords to everyone who fakes
a vaguely credible looking message from IT, the thought of trying to
teach everyone about proper encrypted communication is somewhere between
nightmarish and hopeless IMHO.
In terms of countries banning technologies that don't allow them to
monitor their citizen's communication, I give you India and Blackberry:
http://www.bbc.co.uk/news/business-11131330
Received on Wednesday, 18 July 2012 07:47:41 UTC