Re: HTTP/2 and Pervasive Monitoring from Eliot Lear on 2014-08-15 (ietf-http-wg@w3.org from July to September 2014)

From: Eliot Lear <lear@cisco.com>
Date: Fri, 15 Aug 2014 21:41:23 +0200
To: Roland Zink <roland@zinks.de>
CC: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <53EE6263.2000802@cisco.com>

On 8/15/14, 7:25 PM, Roland Zink wrote:
> Don't think that a valid cert really helps here although it may give a
> hint about who is responsible.

We don't have causality, but we do have data.  And so one man's
conjecture is as good as the next's.  Here's mine: the majority of
illicit servers are actually running on hacked systems and the data is
being served off a simple HTTP server, where no warning is produced.  It
costs money to get a cert for that system, which doesn't actually buy
the miscreant anything.

Eliot

Received on Friday, 15 August 2014 19:41:55 UTC