Re: Moving forward on improving HTTP's security

Thanks, and don’t beat yourself too badly — we’re all guilty of this in some way. The current conversation is… challenging, in that we all have strong feelings about it. 

Great to have you contributing.

Cheers,


On 14 Nov 2013, at 10:58 am, Tao Effect <contact@taoeffect.com> wrote:

> Sorry list,
> 
> I'd like to apologize for my word choice in that previous email, it was completely uncalled for, and I regretted it almost immediately after sending it. Alas, this is where gmail's undo feature would have saved me, but I do not trust gmail. :-p
> 
> Mark contacted me off list and wisely pointed out that disparaging an idea without giving explanation for it is also unhelpful, and I agree 100% with that, and again, apologize to Mark and the whole list for my mistake.
> 
> I have been reading through the RFC throughout the day, and will point more constructive comments to the list later, and hopefully, in a much more tasteful manner.
> 
> Sincerely,
> Greg Slepak
> 
> --
> Please do not email me anything that you are not comfortable also sharing with the NSA.
> 
> On Nov 13, 2013, at 9:10 PM, Tao Effect <contact@taoeffect.com> wrote:
> 
>> On Nov 13, 2013, at 8:56 PM, Frédéric Kayser <f.kayser@free.fr> wrote:
>> 
>>> May I ask if encryption is a free operation? or (as I suspect) does it impact CPU usage and therefore power consumption on both (servers and clients) sides, possibly increasing server rooms electricity bills, reducing smartphones autonomy and make F5 Networks stocks surge.
>> 
>> IMO, of the various concerns raised so far, this is one of the more lower-priority ones, because:
>> 
>> 1. Encryption is a "free operation" (to an extent) if the hardware supports it.
>> 2. People's lives are more important than an electricity bill (I know, however, that many disagree on this one).
>> 
>> That's not to say that I think the this proposal is a brilliant one.
>> 
>> I do support encrypting HTTP (even mandating it), but it must be done correctly, not in some half-assed way that just unnecessarily complicates everyone's life and doesn't actually improve today's security.
>> 
>> - Greg
>> 
>> --
>> Please do not email me anything that you are not comfortable also sharing with the NSA.
>> 
>>> 
>>>  I let you guess if my preoccupation is self-seeking or rather environmental… 
>>> I thought that HTTP/2 would progressively entirely replace HTTP/1.1 but making HTTPS mandatory is probably the best way to keep it around indefinitely.
>>> 
>>> 
>>> Tim Bray wrote:
>>> 
>>>> On Wed, Nov 13, 2013 at 12:01 PM, William Chan (陈智昌) <willchan@chromium.org> wrote:
>>>>  
>>>> * The marginal security benefit of unauthenticated encryption is fairly marginal. Which adversary is this intended to defeat? It might defeat something like Firesheep for now, until tools like that get updated to MITM as well. Does it shift the economics very much on passive pervasive monitoring? What wins do y'all foresee here?
>>>> 
>>>> Shifting the economics on pervasive surveillance seems like the big deal to me. It becomes much less attractive for three-letter agencies to just collect everything and data-mine it.  MITM-ing on a large scale doesn’t sound very practical.
>>>>  
>>>> * As for downsides, will people read too much into the marginal security benefit and thus think that it's OK not to switch to HTTPS? If so, that would be terrible. It's hard to assess how large this risk is though. Do you guys have thoughts here?
>>>> 
>>>> I agree that’s a risk, but we’re all kind of talking out of our asses here because we don’t have any data.  My intuition is that people who actually understand the issues will understand the shortcomings of opportunistic and not use it where inappropriate, and people who don’t get why they should encrypt at all will get some encryption happening anyhow.  But intuition is a lousy substitute for data.
>>> 
>> 
> 

--
Mark Nottingham   http://www.mnot.net/

Received on Thursday, 14 November 2013 03:04:31 UTC