W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: SSL/TLS everywhere fail

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Sun, 06 Dec 2015 12:57:25 +0000
To: ietf-http-wg@w3.org, Willy Tarreau <w@1wt.eu>
cc: Amos Jeffries <squid3@treenet.co.nz>
Message-ID: <24504.1449406645@critter.freebsd.dk>
In message <20151206125030.GA28069@1wt.eu>, Willy Tarreau writes:

>> >Warning Amos, TLS does offer this when it's used reasonably.
>> There is no way to use it "reasonably" in practice.
>But it's not TLS's fault but the whole model of trust. 

No, it is the fault of the people who agitate for "TLS everywhere"
ignoring that the model of trust is utterly untrustworthy.

>When you have only CAs of parties you decide to trust, the whole chain
>can be trusted.

Correct.  And all current browsers make that as hard as possible
to do in practice.

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Sunday, 6 December 2015 12:57:50 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC