W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: SSL/TLS everywhere fail

From: Willy Tarreau <w@1wt.eu>
Date: Fri, 4 Dec 2015 00:17:00 +0100
To: Alex Rousskov <rousskov@measurement-factory.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Robert Collins <robertc@robertcollins.net>
Message-ID: <20151203231700.GA22201@1wt.eu>
On Thu, Dec 03, 2015 at 03:26:37PM -0700, Alex Rousskov wrote:
> On 12/03/2015 11:32 AM, Robert Collins wrote:
> 
> > I haven't met
> > a single non-internet-technicalities-savvy person who didn't express
> > immense surprise at the idea that their normal browsing would be
> > visible to *anyone* other than the site they were browsing on.
> 
> I have met many technically-illiterate folks who assume their impersonal
> communications are monitored by their government. If given the choice of
> no internet or monitored internet, I bet many would pick the latter (and
> would express immense surprise that they are being asked a question with
> such an obvious [to them] answer!).

Confirmed, I used to be one of those. For 12 years I've been using
Yahoo Mail to read my e-mails at customers' because it was the only
one allowing me to access my mail in clear, hence not being blocked by
corporate proxies. Oh and Yahoo's login box warned me about the insecure
aspect of this connection so I did it on purpose! I only had to tell
people not to send me sensitive information on this address since I
knew that potentially anyone could access it as well. And I've been
a happy user for all this time.

A few whiners used to make fun of me while complaining that they didn't
have e-mail access from the same places. Indeed it was the only one that
would pass since it was the only one that the anti-virus could analyze.
It's simply that different people have different priorities. Mine were
to have this access. Others probably had much more sensitive information
to exchange and couldn't afford a free unsecured webmail account.

> It is not this WG job to decide whether the Kazakh government (or the
> example.com employer or a concerned parent) has the right to monitor
> communication of their citizens (or employees or kids). It could be this
> WG job to design protocols and deployment recommendations that make
> monitoring easy to integrate, discover, and either consent to or reject.
> 
> Doing so would save a lot of energy for such useful things as educating
> folks about surveillance trade-offs so that their consent (or lack of
> thereof) becomes more informed.

+1

Willy
Received on Thursday, 3 December 2015 23:17:29 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC