W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Privacy and its costs (was: Re: Mandatory encryption)

From: Zhong Yu <zhong.j.yu@gmail.com>
Date: Wed, 18 Jul 2012 19:54:00 -0500
Message-ID: <CACuKZqHXcLhzEkT_psoKBJZSiLA781Z=VtBZuCwCXTReAsHhUQ@mail.gmail.com>
To: Martin J. Dürst <duerst@it.aoyama.ac.jp>
Cc: Tim Bray <tbray@textuality.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Very good point. When I tried to make a comment on the site, I'm
prompted with an anti-spam question "Is Adolf Hitler generally
considered to have been good or bad?". If I submit the form in plain
http, and Hitler is snooping, I'll be in trouble.

On Wed, Jul 18, 2012 at 7:13 PM, "Martin J. Dürst"
<duerst@it.aoyama.ac.jp> wrote:
> Hello Tim,
>
> On 2012/07/19 0:09, Tim Bray wrote:
>>
>> On Wed, Jul 18, 2012 at 6:56 AM, Eliot Lear<lear@cisco.com>  wrote:
>
>
>>> This is a red herring.  The real argument is around the ability of all
>>> web
>>> servers to get certificates
>>
>>
>> This pattern keeps coming up.
>> A: “Privacy is good”
>> B: “No, because the technology is currently too expensive/unreliable”
>>
>> Uh... privacy is good.  -T
>
>
> Okay, Tim, here's a challenge for you then:
>
> If privacy is important (I'm with you here, of course), and if privacy
> requires TLS (like many others on this list, I have my strong doubts, but
> you seem to think so), how come that your own site
> http://www.tbray.org/ongoing/ still uses http rather than https?
>
> Is the privacy of the readers of Ongoing just less important than the
> privacy of user of the average Web site? Or is it that you just haven't
> realized that was still on http?
>
> Why don't you actually go to the trouble of moving Ongoing to TLS, with a
> chained (i.e. not self-signed) certificate, and tell us how many working
> hours/days and how much money it took you to set it up. This may make for an
> interesting learning experience, and an interesting blog entry.
>
> [This challenge is of course also for all the other people who advocate to
> tie in mandatory TLS with HTTP 2.0; I just picked Tim because I know his
> site and I know he likes such challenges :-).]
>
> Regards,   Martin.
>
> P.S.: I have my own server for my lab (way less slick than Ongoing, I have
> to admit), and I have considered using https: at least about once every
> year, probably more. It would be the right thing to do. But the amount of
> time it would require from me, to set it up and to make sure it's set up
> correctly, is just too much.
>
Received on Thursday, 19 July 2012 00:54:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 19 July 2012 00:54:33 GMT