Re: Moving forward on improving HTTP's security from Willy Tarreau on 2013-11-13 (ietf-http-wg@w3.org from October to December 2013)

From: Willy Tarreau <w@1wt.eu>
Date: Wed, 13 Nov 2013 23:07:56 +0100
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Mike Belshe <mike@belshe.com>, "William Chan (?????????)" <willchan@chromium.org>, Tao Effect <contact@taoeffect.com>, Tim Bray <tbray@textuality.com>, James M Snell <jasnell@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20131113220756.GI31577@1wt.eu>

On Wed, Nov 13, 2013 at 09:57:46PM +0000, Stephen Farrell wrote:
> > Huh ? No. I mean "The TLS model is fine for me as long as it's used where
> > needed and if it's not abused because I expect all actors in the chain to
> > care about security". Let's ensure we don't break that weak link from the
> > root CAs to me by making its use mandatory for all no-value stuff that
> > nobody cares about and which will make it normal for everyone to deploy
> > broken configs and rogue CAs everywhere for the sake of simplicity.
> 
> Break the link by making it mandatory sounds like wild supposition.

Well, TLS was supposedly unbreakable till it became the norm to break
it on MITM proxies in companies. When there's a good reason for doing
it, the adequate methods are deployed. Whether they are "you just need
to install the attached certs in your browser to get rid of the warnings
when you're browsing" or "you may only use the browser preinstalled on
the PC".

Right now there's no motive for doing so. When ISPs with small links and
big caches will see they have two choices :
  - send a cert to all their customers
  - multiply their bandwidth by 10

Do you really think they'll pick the second one ? No, they'll do the first
one and only multiply the pipe by 2 do handle the few users who accept to
pay more for getting rid of the cache without sacrificing the security. It
is very simple, users will definitely accept this en masse because they
don't care. It already works perfectly in large companies and everyone is
happy with that. And better, with most of the bandwidth going to smartphones,
themselves massively sold by mobile providers, it will be transparent for the
user, the phone will come preinstalled with the "valid certs" and it will be
mentionned in the contract that the ISP reserves the right to see the traffic
in cleartext for law enforcement and everyone will accept except a few, just
the same that absolutely want to get the sources of every component in their
phones and which no ISP wants to have as customers.

I don't see how hard it is to understand in fact :-/

Willy

Received on Wednesday, 13 November 2013 22:08:30 UTC