- From: Chris Palmer <palmer@google.com>
- Date: Tue, 9 Dec 2014 10:37:22 -0800
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Noah Mendelsohn <nrm@arcanedomain.com>, "www-tag@w3.org List" <www-tag@w3.org>
On Mon, Dec 8, 2014 at 8:09 PM, Mark Nottingham <mnot@mnot.net> wrote: > If so, I've had similar misgivings -- backed up by conversations with Balachander Krishnamurthy at AT&T, who said that it would have been much harder for them to find how pervasive cookie tracking was had everything been encrypted <http://www.sigcomm.org/ccr/papers/2010/January/1672308.1672328>. That's a bit hard to swallow, given http://www.washingtonpost.com/business/technology/verizon-atandt-tracking-their-users-with-super-cookies/2014/11/03/7bbbf382-6395-11e4-bb14-4cfea1e742d5_story.html > When I talk to browser folks about this, they say that you can still install a CA to observe traffic, or look at the console / dev tools, etc. I think that's a reasonable answer, but one that needs better tools available to foster this kind of research. A full powered debugger built into the browser, plus all the various extension and add-on APIs, give users and researchers tons of power. Yes, DPI/HTTPS proxying will require the proxy/wiretapper to install a trust anchor on the client machine — i.e. to visibly take administrative control over the client machine — and that is most certainly a user safety feature, not a bug.
Received on Tuesday, 9 December 2014 18:37:49 UTC