W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Privacy and its costs (was: Re: Mandatory encryption)

From: Mike Belshe <mike@belshe.com>
Date: Mon, 30 Jul 2012 21:43:19 -0700
Message-ID: <CABaLYCt7u3kbM-jxUoVAS-_L1bjpgx2NuMrLcx0SHCvNWiJN=A@mail.gmail.com>
To: Tim Bray <tbray@textuality.com>
Cc: Martin J. Dürst <duerst@it.aoyama.ac.jp>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Wed, Jul 18, 2012 at 8:23 PM, Tim Bray <tbray@textuality.com> wrote:

> Fair point; I should. -T
>

Yeah, belshe.com should too :-)

Part of the reason it is hard is because we haven't built the tools we
need.  Why haven't we built better tools?  Because its too easy to opt out.
 Every day, millions of site operators like bray and belshe sacrifice the
needs of the Internet for their own general laziness.

If the net were secure by default and offered no option to amateur blokes
like us, we'd soon have a one-liner command line mechanism to
request/sign/issue/install our server certs and we'dl all be laughing about
how we used to say it was "hard".

Mike





>
> On Wed, Jul 18, 2012 at 5:13 PM, "Martin J. Dürst"
> <duerst@it.aoyama.ac.jp> wrote:
> > Hello Tim,
> >
> > On 2012/07/19 0:09, Tim Bray wrote:
> >>
> >> On Wed, Jul 18, 2012 at 6:56 AM, Eliot Lear<lear@cisco.com>  wrote:
> >
> >
> >>> This is a red herring.  The real argument is around the ability of all
> >>> web
> >>> servers to get certificates
> >>
> >>
> >> This pattern keeps coming up.
> >> A: “Privacy is good”
> >> B: “No, because the technology is currently too expensive/unreliable”
> >>
> >> Uh... privacy is good.  -T
> >
> >
> > Okay, Tim, here's a challenge for you then:
> >
> > If privacy is important (I'm with you here, of course), and if privacy
> > requires TLS (like many others on this list, I have my strong doubts, but
> > you seem to think so), how come that your own site
> > http://www.tbray.org/ongoing/ still uses http rather than https?
> >
> > Is the privacy of the readers of Ongoing just less important than the
> > privacy of user of the average Web site? Or is it that you just haven't
> > realized that was still on http?
> >
> > Why don't you actually go to the trouble of moving Ongoing to TLS, with a
> > chained (i.e. not self-signed) certificate, and tell us how many working
> > hours/days and how much money it took you to set it up. This may make
> for an
> > interesting learning experience, and an interesting blog entry.
> >
> > [This challenge is of course also for all the other people who advocate
> to
> > tie in mandatory TLS with HTTP 2.0; I just picked Tim because I know his
> > site and I know he likes such challenges :-).]
> >
> > Regards,   Martin.
> >
> > P.S.: I have my own server for my lab (way less slick than Ongoing, I
> have
> > to admit), and I have considered using https: at least about once every
> > year, probably more. It would be the right thing to do. But the amount of
> > time it would require from me, to set it up and to make sure it's set up
> > correctly, is just too much.
>
>
Received on Tuesday, 31 July 2012 04:43:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 31 July 2012 04:43:54 GMT