W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: How HTTP 2.0 mandatory security will actually reduce my personal security

From: Mike Belshe <mike@belshe.com>
Date: Thu, 14 Nov 2013 22:01:10 -0800
Message-ID: <CABaLYCte+2TBMOGvkKDVLX_h==9uWq773=8UpXRXBbWQ7hDWBA@mail.gmail.com>
To: Bruce Perens <bruce@perens.com>
Cc: httpbis mailing list <ietf-http-wg@w3.org>
On Thu, Nov 14, 2013 at 10:23 AM, Bruce Perens <bruce@perens.com> wrote:

>  On 11/14/2013 09:49 AM, Roberto Peon wrote:
>
> There is a means of opting out, however, which exists and is widely
> deployed: http1
>
> This isn't realistic unless the HTTP 2 specification makes support of HTTP
> 1 mandatory. Which of course is silly.
>
> There was near unanimity at the plenary that we should do something about
> pervasive monitoring
>
> You had a humming vote to give yourselves the new mission of curing social
> and political ills rather than technical ones, by inflicting a mandatory
> encryption requirement on everyone, everywhere? It sounds like a big over
> step.
>
>
>  Let's make this more clear and ignore the Amateur Radio issue for now. I
> don't wish to be forced into concealment in my *normal operations on the
> Internet.*
>
>
>  Nor do I wish to have traffic over my personal network which I can not
> supervise. Unfortunately, there are a lot of operating systems and
> applications that I have not written which use that network. When I can't
> see the contents of their network traffic, it is more likely that traffic
> is being used to eavesdrop upon me. *Surrounding that traffic with chaff
> by requiring encryption of _all_ HTTP traffic means that this hostile
> encrypted traffic will be impossible to find.*
>
>
>  Thus, my security is reduced.
>
>
>  Even were that not the case, websites are changing to https for various
> other reasons
>
> That's fine, because it's their choice or the users choice. Not yours.
>

Bruce -

I'm not going to win you over.  But I will try anyway.  Let's split this
into two questions:


   1) Should we be striving for more communications privacy and security in
HTTP at all?

   2) Is mandatory security a good step toward that goal?

   3) Is TLS a good step toward that goal?


Regarding #1:

General users can't tell when they should expect have security on or off.
Many security usability studies have shown this.   Regardless of how you
feel about TLS or encryption or authentication, you probably agree that in
general, we should make the internet "just work" for people without them
having to know, "gee, is this security level the right one for me?"

I've spent a lot of time researching this, as have many others on this
list.  Our conclusion is that the only way to help them is to have
everything encrypted all the time.  The details of 128bit keys/certificate
expiration/server authenticated/TLS1.0/blah blah blah are subtleties that
Internet users today can't be expected to understand before going online.

This is very different from HTTP of yesteryear.  The malware present, the
bad actors present, and the volume of users online without strong technical
depth have radically changed since HTTP/1.1 was drafted 15 years ago.

Hopefully we agree that HTTP should be doing this and can stop debating
"but I want my open network for me in my house".  You're an expert.  You
can figure something out that you like, no matter what protocol choices we
make.



Regarding #2:

A lot of us on this list have studied HTTP and security and how to protect
general internet users today.

Our conclusion is that the only way to protect them is to have security on
all the time.  Users can't be expected to differentiate when it is the
right level - it needs to always be the right level.   And the website
operators, they don't know what a given user needs to encrypt/make
private/secure either.  There are obvious cases, like banking info, where
it is clear we all want to encrypt.  But other cases, this is gray.  The
only answer which always works is to simply encrypt all the time.  I'm not
really open to counter proposals on this - we've been researching this and
come to this conclusion slowly and deliberately over the last 10 years.



Regarding #3:

TLS is not as easy as it could be.  I agree.  This is in part because we
allow website owners that are technical enough to deploy TLS to not do so.
  Its also an aging system that is in need of an update.

It will get addressed.  But it is far better than nothing.  MITM is
happening already, so we don't have to worry about instigating that.

But to accomplish #1 and #2 above, we need to start taking steps to protect
the users.  We can't improve the security in HTTP until we agree to PUT
some basic security into HTTP.  And right now, the only option on the table
to do so is TLS.

It'll be a little painful.  It won't be for everyone, and a few sites will
opt to keep with HTTP/1.1, just like 10 years ago when a few devices/sites
decided to keep with HTTP/1.0.


It will be 15 years before we get to take another shot at HTTP to add
security into it.   The timing is literally do it now, or for a lot of us
on this list, not in our lifetimes...

Mike










>
>      Thanks
>
>
>      Bruce
>
>
Received on Friday, 15 November 2013 06:01:37 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC