W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Privacy and its costs (was: Re: Mandatory encryption)

From: Tim Bray <tbray@textuality.com>
Date: Mon, 30 Jul 2012 23:55:58 -0700
Message-ID: <CAHBU6ispTAnP7KKCZQyEzKmye+L8xYOEbUn33i4xLbTv0C4ayQ@mail.gmail.com>
To: Yoav Nir <ynir@checkpoint.com>
Cc: Mike Belshe <mike@belshe.com>, Martin J. DŁrst <duerst@it.aoyama.ac.jp>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Mon, Jul 30, 2012 at 11:28 PM, Yoav Nir <ynir@checkpoint.com> wrote:
> Disagree. belshe.com is just somebody's blog. It's not financial
> information, there are no privacy issues, no medical data, no potentially
> embarrassing association with sexual minorities. Why would you want to
spend
> any resources securing that?

Excuse me, what exactly do you know about my sexual preferences or Mike
Belsheís and why are you so sure that we might not want to discuss them
without accidentally putting our readers in a place where the Basiji come
knocking at the door?

This is why itís reasonable to think it important that privacy be the
default.  Because it if it isnít, then turning privacy on is a powerful
signal to the Men In The Middle to start watching.

Itís unfortunate that you find association with minorities embarrassing.  -T

>
> And securing that has costs. There's extra CPU (although I guess the
> smallest server you can buy can handle your site both with and without
SSL),
> there's the cost of certificates, there's the administrative effort in
> getting and deploying the certificates, and there's the loss of caching
> ability all over the Internet.
>
> Sure, my bank, my HMO and mail.google.com need to have encryption. Yes, as
> long as HTTP without S exists, browsers can be tricked into doing this
> unencrypted. But why should you and Tim bear the cost of securing those
> banking sites? Let them use HSTS or some future DNS-based strict transport
> security.
>
> Yoav
>
>
Received on Tuesday, 31 July 2012 06:56:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 31 July 2012 06:56:35 GMT