Re: HTTP2 Expression of Interest

Wow. It's like I have to run to the other side of the table to argue for the other side…

On Jul 18, 2012, at 4:24 PM, Nicolas Mailhot wrote:
> 
> That being said:
> 
> 1. I don't read the bank (or other correspondence) of my users
> 
> 2. I'm not asked to read the bank (or other correspondence) of my users,
> either by management or a police state (divulging it would take a legal
> injunction I think, never had to deal with those)

It's a good thing that you don't read bank transactions and that you don't get asked to. But you could read the bank transactions if you wanted to (or were asked to). If the data goes over HTTP you can do it with something as simple as TCPDUMP. If it goes over SSL, you'll need a TLS proxy.  The security issue is not that you want to do it, but that you and others with similar jobs to yours can do it.

> 3. When confidential (company or user) data leaks it's always at the
> server endpoints, usually because those endpoints didn't care a bit about
> user data confidentiality.

Well, we know that some countries monitor traffic for censorship and to discover dissidents. Most would call this data leakage, and it's not at the endpoints.

> 12. we absolutely do *not* want to eavesdrop on bank accesses,
> e-government forms, etc. We'd much prefer if such a traffic could be send
> in encrypted payloads with in-clear routing metadata (there I differ a bit
> from Willy, but I accept he has customers with stricter requirements than
> ours)

Does "we" include the no such agency?  Does it include its counterparts in Iran and Syria? There are all sorts of people installing middleboxes.

Yoav

Received on Wednesday, 18 July 2012 14:08:23 UTC