- From: Ted Hardie <ted.ietf@gmail.com>
- Date: Wed, 1 Apr 2015 14:30:31 -0700
- To: Amos Jeffries <squid3@treenet.co.nz>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Received on Wednesday, 1 April 2015 21:31:01 UTC
On Tue, Mar 31, 2015 at 9:45 PM, Amos Jeffries <squid3@treenet.co.nz> wrote: > > > I, Adrien, Willy, PHK have been stating that MITM exist already in TLS > *and are increasing*. The research you point out supports that > statement, they saw TLS MITM rates double within just last year. With > growth of malware instances almost tripling. > > The call we are making is to avoid doing things which encourage that > growth to increase any further. S > ​What seems odd here is that the calls that you make are apparently for avoiding things which encourage TLS MiTM by permitting things that allow MiTM without TLS; what that gains in terms of human rights is baffling. It simply lowers the cost of MiTM. The issue isn't that it is "TLS MiTM", it's "MiTM" with whatever modifier you like. Encouraging efforts like acme to support easy enrolment in certificate pinning schemes, for example, seems like a far better use of time than trying to persuade people worrying about MiTM attacks that TLS doesn't help, at least to me. But your mileage may vary, and apparently does. Ted
Received on Wednesday, 1 April 2015 21:31:01 UTC