- From: Ray Polk <ray.polk@oracle.com>
- Date: Fri, 6 Apr 2012 08:50:05 -0700 (PDT)
- To: <nicolas.mailhot@laposte.net>
- Cc: <ietf-http-wg@w3.org>
I think Nicolas makes a very strong and important point here. I think everyone agrees security is a never ending battle of one-upmanship. People often use the term "arms race" to draw an analogy. I prefer the analogy of bacteria / antibiotics. In the lowest risk infection situations, the user is left to their own devices. In the highest risk, life/death situations, security doctors bring the most powerful antibiotics to bear. To treat every infection with the most powerful countermeasures would weaken those countermeasures for the most extreme cases. Each security mechanism also brings cost to the user and the infrastructure. In time, the countermeasure loses its effectiveness and another mechanism is broadly deployed...as time goes to infinity, only the cost increases. -Ray ----- Original Message ----- From: nicolas.mailhot@laposte.net To: ietf-http-wg@w3.org Sent: Friday, April 6, 2012 8:35:43 AM GMT -07:00 US/Canada Mountain Subject: Re: breaking TLS (Was: Re: multiplexing -- don't do it) Amos Jeffries <squid3@...> writes: > IME admin are usually not that eager to do MITM on TLS. Yes there are all sorts of unpleasant legal risks involved > It is required by policy makers who just want to publish tick-box policies It is required to authenticate proxy users now that popular sites are moving to ssl, since no one has defined a reliable way to do it without breaking tls. And then once the system is in place who will vouch it won't be abused for corporate follies? It is *very* dangerous to make encryption an all-or-nothing proposal. That makes it an everyone-has-a-reason-to-break-it system, which means it *will* be broken, even in the cases it's perfectly justified. If you want to add security to browsing make *very* sure there is little reason for legal-abiding entities to break it, or they will finance and build the tools criminals will use. That means using encryption sparingly, not as a blanket system.
Received on Friday, 6 April 2012 15:50:38 UTC