W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Date: Thu, 14 Nov 2013 12:16:38 +0100
Message-ID: <12115ce7f8f449b01b020f7931a5bf79.squirrel@arekh.dyndns.org>
To: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
Cc: "Willy Tarreau" <w@1wt.eu>, "William Chan (?????????)" <willchan@chromium.org>, "Adrien de Croy" <adrien@qbik.com>, "Mike Belshe" <mike@belshe.com>, "Tao Effect" <contact@taoeffect.com>, "Tim Bray" <tbray@textuality.com>, "James M Snell" <jasnell@gmail.com>, "Mark Nottingham" <mnot@mnot.net>, "HTTP Working Group" <ietf-http-wg@w3.org>

Le Jeu 14 novembre 2013 02:37, Stephen Farrell a écrit :

> PS: "Supposed" above is I think fair for most of the
> "requirements" claimed in this space. There is some
> validity to realtime inbound malware scanning but
> the rest seems like nonsense.

What's the nonsense about filtering video platforms if you don't want to
pay for the bandwidth and your user jobs do not include looking videos on
youtube? Or filtering all the web services that enable to tunnel pretty
much any protocol on http to bypass the firewalls that were set up to
protect your internal equipments?

> I do wonder why people
> who pay for those products don't realise this;-)

Because the costs of a security incident, or of users massively using the
web as an entertainment platform like at home, dwarf both the costs of
setting up control equipments or trying to educate users any other way?

How many users does it take in an organisation before they get out of
control and IT support is reduced to an helldesk? Not a lot I can tell you
(except if you're lucky enough when all your users are IT professionals
and even then it won't be an home run).

-- 
Nicolas Mailhot
Received on Thursday, 14 November 2013 11:17:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC