W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Thu, 14 Nov 2013 01:37:27 +0000
Message-ID: <52842957.1010806@cs.tcd.ie>
To: Willy Tarreau <w@1wt.eu>, "William Chan (?????????)" <willchan@chromium.org>
CC: Adrien de Croy <adrien@qbik.com>, Mike Belshe <mike@belshe.com>, Tao Effect <contact@taoeffect.com>, Tim Bray <tbray@textuality.com>, James M Snell <jasnell@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>


On 11/14/2013 01:09 AM, Willy Tarreau wrote:
> least detestable

The second word of that phrase seems to me to be
almost perfectly appropriate for MITM attack product
features. But, importantly, I think your use of
the phrase does expose the reality of what we all
think of doing that, even, I suspect and hope, those
who do it for fun or profit. Thank you.

As to the supposed requirements that lead to those
detestable product features - if enforcing policy on
HTTP traffic is what is claimed to be required then
I would love to see this wg go figure out ways of doing
that using HTTP (rather than *ab*using TLS) so as to
not affect the many many other protocols that depend
on TLS not being as detestable as the implementations
you're talking about. But personally speaking I don't
know how you can do that without screwing up the many
other protocols that depend on https:// and in the
process making those also detestable.

Cheers,
S.

PS: "Supposed" above is I think fair for most of the
"requirements" claimed in this space. There is some
validity to realtime inbound malware scanning but
the rest seems like nonsense. I do wonder why people
who pay for those products don't realise this;-)
Received on Thursday, 14 November 2013 01:37:52 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC