W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: SSL/TLS everywhere fail

From: Mike Belshe <mike@belshe.com>
Date: Thu, 3 Dec 2015 19:47:03 -0800
Message-ID: <CABaLYCv7xMWfKWYahEOcLjZ2tG68Ha+2KabDDF0Q6mq2QqXxcw@mail.gmail.com>
To: httpbis mailing list <ietf-http-wg@w3.org>
On Thu, Dec 3, 2015 at 10:01 AM, Willy Tarreau <w@1wt.eu> wrote:

> On Thu, Dec 03, 2015 at 09:25:46AM -0800, Mike Belshe wrote:
> > Off the shelf mitm has existed for years and long predates the SSL
> > everywhere movement.
>
> I know and I don't care about MITM being performed on my *clear text*
> browsing. But some companies decide that I should be forced to use
> encryption even when I'm fine with MITM.
>
> > > Previously there was no need for breaking my PayPal connection because
> I
> > > could read blog articles in clear text. Now when my government wants
> to see
> > > what I'm reading, they also have the ability to break my PayPal
> connection.
> > > And anyone participating in these activities as well.
> > >
> >
> > Maybe you don't read the news.  The NSA has been all over your paypal
> > connection for years....  Your employer has too.
>
> NSA I'm not surprized. My employer I'm certain not. My ISP and/or
> government
> maybe since in the ~500 CAs my browser recognizes, probably a few are
> rogue.
>
> > > The rule used to be pretty simple : if you don't want others to sniff
> you,
> > > use SSL. Now since you don't offer that choice to users, it's "hey too
> bad
> > > for you if someone sniffs you".
> >
> > Willy, I'm surprised you think yesteryear's technology is supposed be
> > sufficient forever.  Security generally doesn't work that way.
>
> That's not what I'm saying, I'm talking about leaving the choice to end
> users.
>
> > People want privacy, encryption, security and safety.   They don't want
> it
> > sometimes - they want it all the time.
>
> That's wrong. YOU want this and YOU decide that everybody wants this.


One thing never changes:  the only people that don't want security are
those peddling archaic proxy products that don't work in the face of
encryption....


> I'm
> NOT one of these idealist people because I know for sure that the ones who
> have the power to enforce MITM have the power they need when they have to
> come down on you. I prefer that they see my pointless browsing the easy
> way instead of having them break my door and come with riffles while I'm
> just checking google map to find the fastest way to go to my customers'
> the next day.
>
> > But you know this.  Instead of
> > lamenting how great it was in the past, lets move forward and build
> better
> > TLS.
>
> Yes so that they need to break my door.
>
> We've had this discussion together in the past, we both know we disagree
> on this point and will probably never agree. Let's not re-heat it here.
> At least I'm the one who does not try to impose his way of life on others,
> I'd rather let everyone decide.
>

OK - I'll stop.  You should too - you've replied with no fewer than 5 (yes
count them!) posts with the same tired old arguments...

The implementors (not me) have decided on a more secure transport - please
move on.  Its the same as how we decided on a reliable transport (tcp) and
not an unreliable one (udp).

Mike


> Willy
>
>
Received on Friday, 4 December 2015 03:47:35 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC