Re: Draft finding - "Transitioning the Web to HTTPS"

On Tue, 6 Jan 2015, Eric J. Bowman wrote:

> Martin Thomson wrote:
>>
>> Tim Berners-Lee wrote
>>
>>> If the videos are all https: then he won't be able to cache them,
>>> except -- not to worry, the tools he buys will probably include
>>> MITM attack tools, so in fact he *will* be able to cache things
>>> after all.
>>
>> I think that it's a little sad that this is the only response we have
>> to this situation.  Of course we can break the encryption.  It does
>> instantly restore function to our existing toolchain.
>>
>> Or, we could apply ourselves to the problem and then maybe we can have
>> both security AND caching.
>>
>> Jus' sayin'.
>>
>
> +1
>
> My point entirely. Eliminating caching in the name of security,
> particularly if the result isn't secure, amounts to throwing the baby
> out with the bathwater. It's a cop-out by the very insitutions folks
> rely on to solve problems, not come up with cop-outs, regardless of how
> marketable such cop-outs are to the gullible.

It depends what "security" means here. Pervasive monitoring (aka 
sniffing), that should be resolved on a hop-by-hop encryption, or MiTM 
that requires end-to-end encryption.

Having both hop-by-hop and end-to-end  would have been nice, but as a word 
of caution, compression of payload body in HTTP could be done using 
Transfer-Encoding or Content-Encoding. Almost no UA implemented TE:, 
almost no servers implemented Transfer-Encoding apart from chunking. What 
is widely used is Content-Encoding, and not without bugs (like issues with 
ETag handling), so like for https, the end-to-end version wins as it is 
easier to deploy/debug/control.

And saying that the only solution for people with poor bandwidth is to get 
rid of their security is not really satisfying.

-- 
Baroula que barouleras, au tiéu toujou t'entourneras.

         ~~Yves

Received on Thursday, 8 January 2015 20:22:19 UTC