W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: James M Snell <jasnell@gmail.com>
Date: Wed, 13 Nov 2013 14:40:24 -0800
Message-ID: <CABP7Rbeg5LD7n8_=TGFfOM0bMDPf2WmqKkY_xJEV6rc-H=U55Q@mail.gmail.com>
To: Mike Belshe <mike@belshe.com>
Cc: Willy Tarreau <w@1wt.eu>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, "William Chan (?????????)" <willchan@chromium.org>, Tao Effect <contact@taoeffect.com>, Tim Bray <tbray@textuality.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Nov 13, 2013 at 2:32 PM, Mike Belshe <mike@belshe.com> wrote:
[snip]
>
> Look, we've had this debate time and time again and its always the people
> with vested interests that are against TLS.  I have yet to hear from a
> single person that is against TLS who isn't either a hacker, a government
> agent, or a seller of software which relies on unsecured traffic.  Not one.
> Actually, the hackers don't care that much.
>

Such generalizations are pointless, really; and do nothing to move the
ball forward. FWIW, I am against mandatory TLS and I do not fall into
any of your categories above. Oh, certainly, there may very well
people others who work for the same company I do that might fall into
one of these categories, but I'm not here representing them, nor am I
here representing my employer. I'm here as an individual with
absolutely zero "vested interest" against TLS. I'm sure I am not the
only one who doesn't fit into the pigeon holes you have carved out, so
please, let's stop the pointless rhetoric and stick to the *technical*
merits of the proposals.

Strongly recommending the use of TLS is fine; even making it the
default option is fine; mandating TLS is not fine and could be
actively counterproductive to addressing the real underlying problems
by either providing a false sense of security or by actively
encouraging abuse.

- James

> I do hear what you're writing, that you think use of more TLS will somehow
> cripple existing TLS, but you're ignoring that it is hackable now...  Our
> use of it doesn't change that.  Despite shortcomings, we do need to raise
> the bar -  there is real, documented evidence of that.  And TLS will evolve
> too, and we (http) will evolve with it.
>
> Upwards and onwards!
>
> Mike
>
>
>
>>
>>
>> Willy
>>
>
Received on Wednesday, 13 November 2013 22:41:11 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC