W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Willy Tarreau <w@1wt.eu>
Date: Thu, 14 Nov 2013 00:16:26 +0100
To: Mike Belshe <mike@belshe.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "William Chan (?????????)" <willchan@chromium.org>, Tao Effect <contact@taoeffect.com>, Tim Bray <tbray@textuality.com>, James M Snell <jasnell@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20131113231626.GA10912@1wt.eu>
On Wed, Nov 13, 2013 at 02:32:19PM -0800, Mike Belshe wrote:
> Look, we've had this debate time and time again and its always the people
> with vested interests that are against TLS.  I have yet to hear from a
> single person that is against TLS who isn't either a hacker, a government
> agent, or a seller of software which relies on unsecured traffic.  Not one.
>  Actually, the hackers don't care that much.

Mike, please stop saying I'm "against TLS", you sound like you don't read
or don't understand. I'm "for TLS" but "not for everything". And I'm in
neither category either.

> I do hear what you're writing, that you think use of more TLS will somehow
> cripple existing TLS, but you're ignoring that it is hackable now...

No I don't ignore it. And I also know it's not the biggest weakness of the
Web right now either (mobile code in the form of malware is doing a lot more
harm than TLS). But at least we can still educate people for not blindly
clicking on "I accept the risk" all the day when they do this, and instead
teach them to read the details and accept or not depending on what they see
and the importance of the site they're visiting (eg: if forums.foo.com
presents a cert saying www.foo.com, and you're just looking for some hints
to configure your graphics driver, probably you don't mind about the warning).

Having them do so 1-3 times a day is probably acceptable. Doing it 10 times
more because the vast majority of the sites that will be forced to migrate
to TLS will have no interest in it and will not take care of doing it right
is a big problem.

> Our use of it doesn't change that.

For sure. So let's insist on something that you say yourself is already
hackable before we even have anything solid to base the design on ? Your
reasoning sounds strange to me (we'll use TLS only for HTTP/2 because
it's hackable so for sure it will improve).

> Despite shortcomings, we do need to raise the bar -  there is real,
> documented evidence of that.

I agree with that as well. My conviction is that doing what you plan to
do will not raise the bar at all but will put it on the floor. We're
allowed to disagree, we've had that conversation many times and at least
we're consistent. It's a matter of beliefs, just like people have political
opinions or religions.

> And TLS will evolve too, and we (http) will evolve with it.

Great, so let's see it evolve first.

Willy
Received on Wednesday, 13 November 2013 23:16:59 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC