Re: SSL/TLS everywhere fail from Mike Belshe on 2015-12-03 (ietf-http-wg@w3.org from October to December 2015)

From: Mike Belshe <mike@belshe.com>
Date: Thu, 3 Dec 2015 09:25:46 -0800
To: httpbis mailing list <ietf-http-wg@w3.org>
Message-ID: <CABaLYCvJmtV6teLPktVDjBMFAHnEFk_7VoKP9j3bAdHDKJWHUA@mail.gmail.com>

On Thu, Dec 3, 2015 at 9:08 AM, Willy Tarreau <w@1wt.eu> wrote:

> Hi Mike,
>
> On Thu, Dec 03, 2015 at 08:44:22AM -0800, Mike Belshe wrote:
> > Absolutely to be expected, but nothing to do with http2.  This was
> already
> > happening long before http2 or spdy...
> >
> > These types of event are GREAT for everyone - we're getting visibility
> into
> > just how invasive our governments want to be.  If we didn't push forward,
> > the world would be living in ignorant bliss.
> >
> > Go go go http2 and mandatory SSL everywhere.  Next step - eliminate MITM.
> > We haven't done that well yet, but its coming.
>
> Sorry Mike, but it's the opposite : SSL everywhere moves the value from
> clear
> streams to encrypted streams, and creates the need for MITM in places where
> they want to see what you're seeing even if it has little value for you.
>

Off the shelf mitm has existed for years and long predates the SSL
everywhere movement.


> Previously there was no need for breaking my PayPal connection because I
> could read blog articles in clear text. Now when my government wants to see
> what I'm reading, they also have the ability to break my PayPal connection.
> And anyone participating in these activities as well.
>

Maybe you don't read the news.  The NSA has been all over your paypal
connection for years....  Your employer has too.


>
> The rule used to be pretty simple : if you don't want others to sniff you,
> use SSL. Now since you don't offer that choice to users, it's "hey too bad
> for you if someone sniffs you".


Willy, I'm surprised you think yesteryear's technology is supposed be
sufficient forever.  Security generally doesn't work that way.

People want privacy, encryption, security and safety.   They don't want it
sometimes - they want it all the time.  But you know this.  Instead of
lamenting how great it was in the past, lets move forward and build better
TLS.

Mike




> And I agree it's not HTTP/2 nor SPDY, it's the general trend towards SSL
> everywhere that some companies are pushing hard, probably in part more to
> try to protect the ad space they sell than to protect end users' privacy,
> but that's my personal guess only and I could be wrong.
>
> Cheers,
> Willy
>
>

Received on Thursday, 3 December 2015 17:26:20 UTC