Re: SSL/TLS everywhere fail from Poul-Henning Kamp on 2015-12-05 (ietf-http-wg@w3.org from October to December 2015)

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Sat, 05 Dec 2015 10:07:03 +0000
To: Mark Nottingham <mnot@mnot.net>
cc: Cory Benfield <cory@lukasa.co.uk>, Adrien de Croy <adrien@qbik.com>, Jacob Appelbaum <jacob@appelbaum.net>, Mike Belshe <mike@belshe.com>, Amos Jeffries <squid3@treenet.co.nz>, httpbis mailing list <ietf-http-wg@w3.org>
Message-ID: <63628.1449310023@critter.freebsd.dk>

--------
In message <BE05C37D-61A7-43DC-9A7A-E7E1A6B2C5EB@mnot.net>, Mark Nottingham wri
tes:

>MiTM was a COTS product long before people started agitating for "TLS 
>everywhere." It may have enlarged that market, but the technology was 
>already there, and already a viable business for several vendors.

And that is *exactly* why people should have thought "Hang on, If
TLS-everywhere is easly defeated by COTS products..."

>> The correct response would have been to roll out more or less
>> *exactly* what the encryption draft contains, along with a wide
>> number of diverse key-management schedules.
>
>I'd encourage you to talk to some browser security teams to understand 
>why that is not at all a viable replacement for TLS. The W3C's Web 
>Application Security Working Group is a good place to start.

Nobody is talking about it being a "viable replacement for TLS",
and we don't need a "viable replacement for TLS", we need technical
response that can be ramped up, and up, and up, in response to the
other sides increasingly desparate attempts to break it.

No, it won't be plug in, and no, it may not make people the same
amount of money as usual.  But it *might* push our political
agenda forward as a means of "civil disobedience".

>I think you're creating a straw-man here. No one has said that TLS 
>everywhere is the only solution, or even a sufficient one. 

Ohhhh yes, a lot of people said that, also in this group.  I've
personally heard Jacob say it both in public and in priave over a
beer.  And yes, I shared my view.

>>       http://telecom.kz/en/news/view/18729
>
>Interestingly, that now redirects to their home page. It's hard
>to say for sure, but I suspect they were surprised by the reaction
>and are re-thinking their plans. I suppose we'll (eventually) see.

Rumours from local sources is that it simply took their webserver
down.  No rumours about the government decision having changed.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Received on Saturday, 5 December 2015 10:07:33 UTC