W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: How HTTP 2.0 mandatory security will actually reduce my personal security

From: Willy Tarreau <w@1wt.eu>
Date: Fri, 15 Nov 2013 08:15:05 +0100
To: Roberto Peon <grmocg@gmail.com>
Cc: Bruce Perens <bruce@perens.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20131115071505.GC11628@1wt.eu>
Hi Roberto,

On Thu, Nov 14, 2013 at 09:38:10PM -0800, Roberto Peon wrote:
> We know that there is pervasive monitoring by many disparate parties.
> 
> What do you propose to do about it, or are you proposing that this is
> desirable?

A quick point here, yes there is this monitoring and yes we'd like to
get rid of it. But it seems amazing to me to see that people forget
the most important part : the only value of the information to collect
is on HTTPS and this monitoring happens mostly on HTTPS. End users'
gmail accesses get sniffed and have been for a while now in certain
countries. To the best of my knowledge, gmail is https-only, right ?
So by migrating all non-important web sites from HTTP to HTTPS, we
won't fix this, at most we'll add more noise to the sniffers, except
that it's trivial to pick the domains or addresses they're interested
in. Again, the only short-term *fix* to this situation is to make the
user aware of what's happening. The UI could display in real time at
the bottom of the page the name of the cert issuer for example. And
we must make it impossible to click through "I accept the risk" since
it provides no additional security over plain-text.

Best regards,
Willy
Received on Friday, 15 November 2013 07:15:30 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC