W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Fwd: A proposal

From: Willy Tarreau <w@1wt.eu>
Date: Wed, 20 Nov 2013 02:23:42 +0100
To: Mike Belshe <mike@belshe.com>
Cc: httpbis mailing list <ietf-http-wg@w3.org>
Message-ID: <20131120012342.GC22150@1wt.eu>
On Tue, Nov 19, 2013 at 09:00:22AM -0800, Mike Belshe wrote:
> People do die because of unencrypted HTTP.  I'm not sure how many
> governments have to get caught before you'll agree with this fact.  From
> from Iran to China to the US, this is widespread.

I'd be interested if anybody knows the ratio of gmail accounts that
were snooped from cleartext vs those snooped on https. And it's
certainly valid for facebook and many other webmails and social
networks used in revolutions.

I'd be inclined to believe that at least some of the ones above do
not provide any clear text access.

So OK you *believe* that doing it your way will make it more difficult
for the snoopers, but it can even be the opposite. If the deployed
technology is 100% focused on TLS right now for whatever reason (eg:
only filters on the SNI to decide if they capture or not), you could
even have it reversed with cleartext passing through undetected.

I'm not saying this is necessary the case, Mike. I'm just saying that
gratuitous claims such as "TLS will raise the bar" are gratuitous,
especially in an era where most useful information already circulates
over TLS and is stolen there (and more commonly inside the browser
because it's the best place for this).

Willy
Received on Wednesday, 20 November 2013 01:24:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC