W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Frédéric Kayser <f.kayser@free.fr>
Date: Thu, 14 Nov 2013 02:56:45 +0100
To: ietf-http-wg@w3.org
Message-Id: <C42A21EB-F93D-4F2E-B5FC-4996900B60B7@free.fr>
May I ask if encryption is a free operation? or (as I suspect) does it impact CPU usage and therefore power consumption on both (servers and clients) sides, possibly increasing server rooms electricity bills, reducing smartphones autonomy and make F5 Networks stocks surge. I let you guess if my preoccupation is self-seeking or rather environmental… 
I thought that HTTP/2 would progressively entirely replace HTTP/1.1 but making HTTPS mandatory is probably the best way to keep it around indefinitely.


Tim Bray wrote:

> On Wed, Nov 13, 2013 at 12:01 PM, William Chan (陈智昌) <willchan@chromium.org> wrote:
>  
> * The marginal security benefit of unauthenticated encryption is fairly marginal. Which adversary is this intended to defeat? It might defeat something like Firesheep for now, until tools like that get updated to MITM as well. Does it shift the economics very much on passive pervasive monitoring? What wins do y'all foresee here?
> 
> Shifting the economics on pervasive surveillance seems like the big deal to me. It becomes much less attractive for three-letter agencies to just collect everything and data-mine it.  MITM-ing on a large scale doesn’t sound very practical.
>  
> * As for downsides, will people read too much into the marginal security benefit and thus think that it's OK not to switch to HTTPS? If so, that would be terrible. It's hard to assess how large this risk is though. Do you guys have thoughts here?
> 
> I agree that’s a risk, but we’re all kind of talking out of our asses here because we don’t have any data.  My intuition is that people who actually understand the issues will understand the shortcomings of opportunistic and not use it where inappropriate, and people who don’t get why they should encrypt at all will get some encryption happening anyhow.  But intuition is a lousy substitute for data.
Received on Thursday, 14 November 2013 01:57:16 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC