W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Privacy and its costs (was: Re: Mandatory encryption)

From: Greg Wilkins <gregw@intalio.com>
Date: Mon, 6 Aug 2012 11:44:33 +1000
Message-ID: <CAH_y2NH_f9CFPOHsFr+8Aa8UT4XAAxeMSxLLO+dqoDMC57=QNg@mail.gmail.com>
To: ietf-http-wg@w3.org
On 31 July 2012 14:43, Mike Belshe <mike@belshe.com> wrote:
>
>
> On Wed, Jul 18, 2012 at 8:23 PM, Tim Bray <tbray@textuality.com> wrote:
>>
>> Fair point; I should. -T
>
>
> Yeah, belshe.com should too :-)
>

Mike,

I don't understand the benefit of encrypting traffic to/from a public
blog site?    There is no privacy obtained by doing so.

If I can see somebody on my network make a connection to belshe.com,
then I can go browse that site myself and see all the content that the
encrypted connection has available to it.  By looking at the dates and
sizes of the data transfers, I can make a pretty good estimate of the
pages that the encrypted connection has accessed.

TLS provides little privacy in this situation as I will know who the
client connected to, what they saw and when they saw it.   Even if the
browser pushes content, for a blog site that is more often than not a
comment, so that will get published as well and again size/date
matching can be very effective at working out who said what.

If privacy is a necessary attribute of HTTP/2.0, then we will have to
prevent direct connections to servers and all traffic will need to go
via anonymous proxy services.

There may well be good arguments for having confidential content as
the default for HTTP/2.0, but privacy is not one of them.

cheers












-- 
Greg Wilkins <gregw@intalio.com>
http://www.webtide.com
Developer advice and support from the Jetty & CometD experts.
Received on Monday, 6 August 2012 01:45:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 6 August 2012 01:45:06 GMT