W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: SSL/TLS everywhere fail

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Fri, 04 Dec 2015 06:37:27 +0000
To: Jacob Appelbaum <jacob@appelbaum.net>
cc: Mike Belshe <mike@belshe.com>, Amos Jeffries <squid3@treenet.co.nz>, httpbis mailing list <ietf-http-wg@w3.org>
Message-ID: <58251.1449211047@critter.freebsd.dk>
In message <CAFggDF3aDuf6iZqr+n9yvKFfVVjvyntRL=DmA7vmXLh626BOHw@mail.gmail.com>
, Jacob Appelbaum writes:

>> You cannot fix political problems with technological hacks
>Nor can you fix it with political cowardice and security nihilism!

I don't think you can fairly accuse me of either ?

>As has already been said in the thread: The technological changes
>bring the political problems into a visible space. 

Absolutely agree.

But SSL/TLS is just about the worst encryption you can bring to
that fight, because it is *so* trivial and routine to MiTM that you
can find the list-price for the necessary equipment on Google.

draft-thomson-http-encryption is a much better tool for civil
disobedience:  It can be used with a thousand diverse key management
schedules, including the only one we know to be intrinsicly secure
from MiTM (PSK), and there is *no* way to trojan all of it.

Deploy *that* with good key-management tools[1] and the politicians
will face the much more impalatable choice of "Block or Pass".

If they choose "pass" we won.

If they choose "block" we get the population on our side pretty quick.

Change the world with civil disobedience takes careful planning and
execution.  Rosa Parks didn't just happen to be tired.


[1] I hessitate to use the word GPG and "good" in the same context,
but there *is* a very large web of trust to leverage.

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Friday, 4 December 2015 06:37:58 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC