W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: How HTTP 2.0 mandatory security will actually reduce my personal security

From: Roberto Peon <grmocg@gmail.com>
Date: Thu, 14 Nov 2013 21:38:10 -0800
Message-ID: <CAP+FsNeHtkHTK1dGz3uqYZgORiXiWmgSEnW0oUFABu8YubPf1A@mail.gmail.com>
To: Bruce Perens <bruce@perens.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Nov 14, 2013 8:24 AM, "Bruce Perens" <bruce@perens.com> wrote:
>
> On 11/14/2013 09:49 AM, Roberto Peon wrote:
>>
>> There is a means of opting out, however, which exists and is widely
deployed: http1
>
> This isn't realistic unless the HTTP 2 specification makes support of
HTTP 1 mandatory. Which of course is silly.
>>
>> There was near unanimity at the plenary that we should do something
about pervasive monitoring
>
> You had a humming vote to give yourselves the new mission of curing
social and political ills rather than technical ones, by inflicting a
mandatory encryption requirement on everyone, everywhere? It sounds like a
big over step.

You are putting words in people's mouths, or at least doing some liberal
coloring outside the lines.

We know that there is pervasive monitoring by many disparate parties.

What do you propose to do about it, or are you proposing that this is
desirable?

>
>
> Let's make this more clear and ignore the Amateur Radio issue for now. I
don't wish to be forced into concealment in my normal operations on the
Internet.

Then don't browse any site which uses or requires https? Or, use a browser
which sticks to a plaintext protocol?
Why is this difficult?

>
>
> Nor do I wish to have traffic over my personal network which I can not
supervise.

You should probably close off all unknown, non-plaintext ports, or install
a MITM for the SSL stuff.

> Unfortunately, there are a lot of operating systems and applications that
I have not written which use that network. When I can't see the contents of
their network traffic, it is more likely that traffic is being used to
eavesdrop upon me. Surrounding that traffic with chaff by requiring
encryption of _all_ HTTP traffic means that this hostile encrypted traffic
will be impossible to find.

Sure, there is most definitely a tradeoff between ensuring privacy across
the open net and being able to look into all streams.
What I don't see, however, is how you will ever have enough time to
understand all of the interactions which are ongoing on your network--
steganography is just too easy, even for plaintext.

>
>
> Thus, my security is reduced.
>
>
>> Even were that not the case, websites are changing to https for various
other reasons
>
> That's fine, because it's their choice or the users choice. Not yours.

Yes? And what is proposed is still that...

-=R

>
>
>     Thanks
>
>
>     Bruce
>
>
Received on Friday, 15 November 2013 05:38:38 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC