Re: Google warns of unauthorized TLS certificates trusted by almost all OSes from Melvin Carvalho on 2015-03-25 (www-tag@w3.org from March 2015)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Wed, 25 Mar 2015 01:15:47 +0100
To: Tim Bray <tbray@textuality.com>
Cc: Daniel Appelquist <appelquist@gmail.com>, Marc Fawzi <marc.fawzi@gmail.com>, TAG List <www-tag@w3.org>
Message-ID: <CAKaEYhK-21MBhptG3_ArOk-RjoB8LDutfgrpq7rdfCk2G2B+pA@mail.gmail.com>

On 24 March 2015 at 22:38, Tim Bray <tbray@textuality.com> wrote:

> What Daniel said.  Also, see
> https://www.tbray.org/ongoing/When/201x/2014/07/28/Privacy-Economics
>

Thanks Tim.  A well very thought out article.  It seems that moving from
HTTP to HTTPS is an incremental gain, as you say, rather than, a perfect
solution.  Is HTTPS good enough?  Is HTTP good enough?  I suppose different
people will have different views on that.  No strong view here, but I lean
towards agreeing with you.

Better security is of course a good thing.  However, less well mentioned in
your post, is that this may also be a trade off.  For example we've seen
examples in some browsers blocking mixed content on the web http/https to
protect against possible MITM attacks.  The opportunity cost here is that
there are potentially fewer connections on the web.  In a hierarchical
system that may not be such a big deal, but in a graph oriented
architecture, the value is proportional to the number of connections.

I'm not trying to argue for or against, here, but just saying that from an
architectural view, it's not black and white (much of the gist of what you
were saying) and that there are subtle trade offs, imho, at this point in
time.

>
> On Wed, Mar 25, 2015 at 8:42 AM, Daniel Appelquist <appelquist@gmail.com>
> wrote:
>
>> Excuse me?
>>
>> Marc – can you please refrain from making alarmist, nonsensical
>> flame-baiting comments like this on our mailing list? Probably this sort of
>> thing would be more sensibly expressed on Twitter or similar?
>>
>> Thanks,
>> Dan
>>
>> On 24 Mar 2015, at 16:47, Marc Fawzi <marc.fawzi@gmail.com> wrote:
>>
>> A classic "we told you so" moment for "HTTPS everywhere" promoters and
>> now state surveillance is baked into HTTP2.0
>>
>> Sent from my iPhone
>>
>> On Mar 24, 2015, at 9:31 AM, Melvin Carvalho <melvincarvalho@gmail.com>
>> wrote:
>>
>> FYI:
>>
>>
>> http://arstechnica.com/security/2015/03/google-warns-of-unauthorized-tls-certificates-trusted-by-almost-all-oses/
>>
>>
>>
>>
>
>
> --
> - Tim Bray (If you’d like to send me a private message, see
> https://keybase.io/timbray)
>

Received on Wednesday, 25 March 2015 00:16:16 UTC