W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: SSL/TLS everywhere fail

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Sat, 05 Dec 2015 10:27:32 +0000
To: Jacob Appelbaum <jacob@appelbaum.net>
cc: Mike Belshe <mike@belshe.com>, Amos Jeffries <squid3@treenet.co.nz>, httpbis mailing list <ietf-http-wg@w3.org>
Message-ID: <63744.1449311252@critter.freebsd.dk>
In message <CAFggDF0CzfWuufur4f8RrVYc7kxqKsCatim-Pqhg+i+1jHqQpA@mail.gmail.com>
, Jacob Appelbaum writes:

>> I have no idea what the Tor project will do, but fortunately the
>> human rights activists I know about has a fallback.
>I suspect that they will use Tor bridges or another similar bypass
>method. If they need help, we're always happy to help - please ask
>them to reach out if we can help.

Obviously I am not going to say anything here that would compromise
anybody, but I can safely tell you that they are not in your dataset
for the graph you linked to, and that any contact to the Tor project
will be at least three arms length.

>People related to the Tor Project have been working to submit evidence
>with regard to the latest series of bills on exactly this topic. I
>guess other groups will do the same.


And did you see what all the evidence did for the decision about
bombing Syria ?

>I'm sorry if I was unclear: The high cost is a cert chain that works
>on everyone without installing a root.

If you are a government, the cost if getting everybody to install a
root-cert is probably cheaper than the kit.

In Denmark for instance, all the legislation is in place to require
people to accept a root-cert for our "NemID" (digital citizen/company
ID/ single signon), the cert can be downloaded as part of the logon
procedure and in a matter of days a very large fraction of all Danish
computers have the root-cert installed.

Other countries are similarly positioned.  Given their current
"cyber-war" threat-models, hey'd be stupid if not.

(NB: I'm not saying their threat-models are correct or even sane,
they're not, but given that threat-model, being able to roll out a
root-cert is the obvious thing to be able to do.)

>Surely you're aware that I'm working on many different angles at the
>same time - exactly in many of the areas that you suggest.

I'd expect no less of you Jacob.

And I'll do anything I can do, including as much "empthy rhetoric"
as I can fit through my various megaphones.

In other related news:  The first news-item yesterday, following
the danish referendum (look it up) was "Denmark's NO means we cannot
participate in the new anti-terror flight-passenger database".  It
was made abundantly obvious that this was a TERRIBLE thing.

We have, so far, *totally* failed to get the population behind us
on this cause.

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Saturday, 5 December 2015 10:27:58 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC