W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: SSL/TLS everywhere fail

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Thu, 3 Dec 2015 17:20:39 +0000
To: ietf-http-wg@w3.org, Mike Belshe <mike@belshe.com>
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Amos Jeffries <squid3@treenet.co.nz>
Message-ID: <566079E7.3090703@cs.tcd.ie>


On 03/12/15 17:08, Willy Tarreau wrote:
> The rule used to be pretty simple : if you don't want others to sniff you,
> use SSL. Now since you don't offer that choice to users, it's "hey too bad
> for you if someone sniffs you".
> 
> And I agree it's not HTTP/2 nor SPDY, it's the general trend towards SSL
> everywhere that some companies are pushing hard, probably in part more to
> try to protect the ad space they sell than to protect end users' privacy,
> but that's my personal guess only and I could be wrong.

For me, the blame here is squarely on the despotic regime.

One can argue that folks acting from good motives achieving
more use of crypto (such as me, not a company:-) might lead
despots to react in that way, (but that is not what I think
you're saying), but even so I guess the regime in question
were likely already spying on as much as they could so what
has changed is that that is now being forced into the open.
(At which point I hope other mechanisms can help counter the
attack.)

S.

> 
> Cheers,
> Willy
> 
> 
> 
Received on Thursday, 3 December 2015 17:21:11 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC