W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: SSL/TLS everywhere fail

From: Willy Tarreau <w@1wt.eu>
Date: Thu, 3 Dec 2015 18:08:30 +0100
To: Mike Belshe <mike@belshe.com>
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Amos Jeffries <squid3@treenet.co.nz>, httpbis mailing list <ietf-http-wg@w3.org>
Message-ID: <20151203170830.GA22042@1wt.eu>
Hi Mike,

On Thu, Dec 03, 2015 at 08:44:22AM -0800, Mike Belshe wrote:
> Absolutely to be expected, but nothing to do with http2.  This was already
> happening long before http2 or spdy...
> 
> These types of event are GREAT for everyone - we're getting visibility into
> just how invasive our governments want to be.  If we didn't push forward,
> the world would be living in ignorant bliss.
> 
> Go go go http2 and mandatory SSL everywhere.  Next step - eliminate MITM.
> We haven't done that well yet, but its coming.

Sorry Mike, but it's the opposite : SSL everywhere moves the value from clear
streams to encrypted streams, and creates the need for MITM in places where
they want to see what you're seeing even if it has little value for you.
Previously there was no need for breaking my PayPal connection because I
could read blog articles in clear text. Now when my government wants to see
what I'm reading, they also have the ability to break my PayPal connection.
And anyone participating in these activities as well.

The rule used to be pretty simple : if you don't want others to sniff you,
use SSL. Now since you don't offer that choice to users, it's "hey too bad
for you if someone sniffs you".

And I agree it's not HTTP/2 nor SPDY, it's the general trend towards SSL
everywhere that some companies are pushing hard, probably in part more to
try to protect the ad space they sell than to protect end users' privacy,
but that's my personal guess only and I could be wrong.

Cheers,
Willy
Received on Thursday, 3 December 2015 17:09:06 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC