W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: SSL/TLS everywhere fail

From: Jacob Appelbaum <jacob@appelbaum.net>
Date: Thu, 3 Dec 2015 17:29:04 +0000
Message-ID: <CAFggDF0Ue6MUavC7HQPcrref7BgXWp_AOkp9SxySPi-phhFXRA@mail.gmail.com>
To: Mike Belshe <mike@belshe.com>
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Amos Jeffries <squid3@treenet.co.nz>, httpbis mailing list <ietf-http-wg@w3.org>
On 12/3/15, Mike Belshe <mike@belshe.com> wrote:
> Absolutely to be expected, but nothing to do with http2.  This was already
> happening long before http2 or spdy...

Exactly so - huge surveillance and censorship events are an ongoing problem.

> These types of event are GREAT for everyone - we're getting visibility into
> just how invasive our governments want to be.  If we didn't push forward,
> the world would be living in ignorant bliss.

Rosa Luxemburg most famously captured this: "Those who do not move, do
not notice their chains."

I'm not sure that it is "great" in a sense that I'm familiar with...
it is a reality check that moves things along in a very honest
direction. Some technical people were aware and they were fine with
the status quo. Some as collaborators and some as feeling like this is
all awful and messy. Now many many more people will be aware, some
with power to change things and many without. It moves us from a world
of passive and hidden active attackers to a world where we'll see many
more active attacks.

Is it really bad news that we're now seeing this stuff? It has been
happening for *years* in some countries. Some Oakley groups have been
blocked wholesale in areas of the world.

> Go go go http2 and mandatory SSL everywhere.  Next step - eliminate MITM.
> We haven't done that well yet, but its coming.

TLS, please. :-)

All the best,
Jacob
Received on Thursday, 3 December 2015 17:29:33 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC