W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: SSL/TLS everywhere fail

From: Willy Tarreau <w@1wt.eu>
Date: Thu, 3 Dec 2015 19:01:07 +0100
To: Mike Belshe <mike@belshe.com>
Cc: httpbis mailing list <ietf-http-wg@w3.org>
Message-ID: <20151203180107.GB22101@1wt.eu>
On Thu, Dec 03, 2015 at 09:25:46AM -0800, Mike Belshe wrote:
> Off the shelf mitm has existed for years and long predates the SSL
> everywhere movement.

I know and I don't care about MITM being performed on my *clear text*
browsing. But some companies decide that I should be forced to use
encryption even when I'm fine with MITM.

> > Previously there was no need for breaking my PayPal connection because I
> > could read blog articles in clear text. Now when my government wants to see
> > what I'm reading, they also have the ability to break my PayPal connection.
> > And anyone participating in these activities as well.
> >
> 
> Maybe you don't read the news.  The NSA has been all over your paypal
> connection for years....  Your employer has too.

NSA I'm not surprized. My employer I'm certain not. My ISP and/or government
maybe since in the ~500 CAs my browser recognizes, probably a few are rogue.

> > The rule used to be pretty simple : if you don't want others to sniff you,
> > use SSL. Now since you don't offer that choice to users, it's "hey too bad
> > for you if someone sniffs you".
> 
> Willy, I'm surprised you think yesteryear's technology is supposed be
> sufficient forever.  Security generally doesn't work that way.

That's not what I'm saying, I'm talking about leaving the choice to end
users.

> People want privacy, encryption, security and safety.   They don't want it
> sometimes - they want it all the time.

That's wrong. YOU want this and YOU decide that everybody wants this. I'm
NOT one of these idealist people because I know for sure that the ones who
have the power to enforce MITM have the power they need when they have to
come down on you. I prefer that they see my pointless browsing the easy
way instead of having them break my door and come with riffles while I'm
just checking google map to find the fastest way to go to my customers'
the next day.

> But you know this.  Instead of
> lamenting how great it was in the past, lets move forward and build better
> TLS.

Yes so that they need to break my door.

We've had this discussion together in the past, we both know we disagree
on this point and will probably never agree. Let's not re-heat it here.
At least I'm the one who does not try to impose his way of life on others,
I'd rather let everyone decide.

Willy
Received on Thursday, 3 December 2015 18:01:34 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC