- From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
- Date: Wed, 18 Jul 2012 21:37:39 +0200
- To: "Yoav Nir" <ynir@checkpoint.com>
- Cc: "Nicolas Mailhot" <nicolas.mailhot@laposte.net>, "Mike Belshe" <mike@belshe.com>, "Phillip Hallam-Baker" <hallam@gmail.com>, "Adrien W. de Croy" <adrien@qbik.com>, "Rajeev Bector" <rbector@yahoo-inc.com>, "Martin Thomson" <martin.thomson@gmail.com>, "Martin J. Dürst" <duerst@it.aoyama.ac.jp>, "Doug Beaver" <doug@fb.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Le Mer 18 juillet 2012 16:03, Yoav Nir a écrit : > Wow. It's like I have to run to the other side of the table to argue for > the other side… > > On Jul 18, 2012, at 4:24 PM, Nicolas Mailhot wrote: >> >> That being said: >> >> 1. I don't read the bank (or other correspondence) of my users >> >> 2. I'm not asked to read the bank (or other correspondence) of my users, >> either by management or a police state (divulging it would take a legal >> injunction I think, never had to deal with those) > > It's a good thing that you don't read bank transactions and that you don't > get asked to. But you could read the bank transactions if you wanted to > (or were asked to). No one is going to ask me to do so. Much simpler to hire some shady character to deploy a keylogger on the target user computer, and no need to involve an honest general-purpose network joe like me. Your threat assessment is faulty. > If the data goes over HTTP you can do it with > something as simple as TCPDUMP. If it goes over SSL, you'll need a TLS > proxy. The security issue is not that you want to do it, but that you and > others with similar jobs to yours can do it. The security issue is that the protocol is not well behaved and does not let users negotiate the level of protection they deem necessary and which is possible to negotiate in a particular social setting. The protocol is an absolute god-awful under-specified mess that leaves users at the mercy of web sites, intermediaries and browser writers. Instead of giving users the tools to assess and control connexion state, so they are able to perform this negotiation (which they are the *only* ones legitimate to perform) browsers and big sites have embarked in an anal blind quest to apply TLS everywhere and *that* is the reason there are MITM ssl interception boxes sprouting right and left today. In an all-or-nothing world users get *nothing* on networks where they are guests if the protocol and tools do not provide them the means to behave like guests. In an all-or-nothing world me and other intermediary operators get total control because there is no middle knob between no control and total control, and no control is not acceptable to the network owner who has veto power by definition. It's no use advertising the triply iron-clad TLS door to a social site when said social site leaks user information like a sieve, often deliberately. Not only it is not helping the user it's actively deceiving him. The day the protocols and tools help user check what is send in clear, what had been integrity checked, what has been crypted, by whom and to whom (and whom send the various error pages), and decide themselves what they want (to they allow middlemen to accelerate or malware-check some elements ; do they insist that others must be totally opaque even at the cost of losing connection on networks they do not control) then people can claim they are pro-users. (it's not rocket science, it's just defining a protocol that permits different compromise levels, providing means to users to tag accesses as belonging to one category or the other, and having the web client negotiate automatically the best compromise it can on the available networks. And yes that would also permit users to bloc collection of data by advertisers and other commercial entities if they wish so) All the mashup, sharding, clouding, ajaxy stuff while convenient for web site and browser developers has resulted in a mess no normal user could identify any trust domain in. No amount of TLS-ing is going to fix the trust problem. Multiplexing will make the situation worse, not better. So please instead of continuing to make choices for the users please make http connexions simpler to understand by users so they can make educated security decisions (and putting grocery shopping on the same level as bank account accesses is no making connexions simpler to understand it shows users you don't give a fig about their actual needs). I defy any of the pro-crypto people here to poll random people in the street and make them say they'd rather have the internet become even more complex and opaque, to provide total confidentiality, instead of being as simple to use as a wired phone (even if everyone knows governments can wiretap wired phones) >> 3. When confidential (company or user) data leaks it's always at the >> server endpoints, usually because those endpoints didn't care a bit >> about >> user data confidentiality. > > Well, we know that some countries monitor traffic for censorship and to > discover dissidents. Most would call this data leakage, and it's not at > the endpoints. I'm quite sure those countries also read dissident blogs and social sites and that they get more info this way than by monitoring traffic. >> 12. we absolutely do *not* want to eavesdrop on bank accesses, >> e-government forms, etc. We'd much prefer if such a traffic could be >> send >> in encrypted payloads with in-clear routing metadata (there I differ a >> bit >> from Willy, but I accept he has customers with stricter requirements >> than >> ours) > > Does "we" include the no such agency? The no such agency has backdoors in all the big US web sites that want to save people in other countries from spying with TLS. It does not even need to profile people anymore those sites are doing it openly and for free in its stead. With likedin it can downsize its economic intelligence arm too (or even peek directly at data processed in the clouds of Amazon & friends) This is spook paradise > Does it include its counterparts in Iran and Syria? I'm sure they will catch up on the new way of offloading intelligence to web site operators soon if they haven't yet. The Chinese certainly did a long time ago. >There are all sorts of people installing middleboxes. And there are all sorts of people that do not want to be made targets because their technology provider decided it was smart to make them go dark and behave like enemies of the state. You don't solve political problems with simplistic binary technical changes (especially when you focus on the element which is not the worst problem today). Governments and populations adapt either way. And just because some populations do not like their government does not necessarily mean they prefer to give the keys of their lives to facebook or google (which is what will happen with a system too complex to control by anyone but first-rank websites) -- Nicolas Mailhot
Received on Wednesday, 18 July 2012 19:38:28 UTC