Re: breaking TLS (Was: Re: multiplexing -- don't do it) from Mike Belshe on 2012-04-07 (ietf-http-wg@w3.org from April to June 2012)

From: Mike Belshe <mike@belshe.com>
Date: Fri, 06 Apr 2012 22:39:00 -0400
To: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Cc: ietf-http-wg@w3.org, "William Chan (陈智昌)" <willchan@chromium.org>
Message-ID: <4f7fa8c4.6KhYcjhRUqampa66%mike@belshe.com>

<br><br><div class="gmail_quote">On Fri, Apr 6, 2012 at 3:19 PM, Nicolas Mailhot <span dir="ltr">&lt;<a href="mailto:nicolas.mailhot@laposte.net">nicolas.mailhot@laposte.net</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" x-style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Le Ven 6 avril 2012 16:43, William Chan (陈智昌) a écrit :<br>
<div class="im"><br>
&gt;&gt; If you want to add security to browsing make *very* sure there is little<br>
&gt;&gt; reason<br>
&gt;&gt; for legal-abiding entities to break it, or they will finance and build the<br>
&gt;&gt; tools<br>
&gt;&gt; criminals will use. That means using encryption sparingly, not as a blanket<br>
&gt;&gt; system.<br>
<br>
&gt; This logic makes no sense to me. I disagree strongly.<br>
<br>
</div>I&#39;m not making a logic point, I&#39;m stating how things are moving now, from<br>
direct experience. People have been blindly pushing for https everywhere those<br>
past years without handling the pain points this caused to corporations, and<br>
as a results lots of proxy providers are getting fat sums to break this<br>
encryption now<br></blockquote><div><br></div><div>This sounds great to me.  If it gets broken, we&#39;ll fix it.  No point in pretending it is secure if it is really not.</div><div><br>I expect a lot of innovation in the CA verification / trust arena in the next few years.  If you keep up on that side of the world - you&#39;ll see there is a lot that can change very soon.  But this is a bit orthogonal to HTTP/2.0. </div>
<div><br></div><div>Mike</div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" x-style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
(and btw browsers and google are not the only ones to blame, vendors like<br>
Citrix that have told IT it could just tunnel citrix through https and network<br>
admins would be none the wiser helped quite a lot too)<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Nicolas Mailhot<br>
<br>
<br>
</font></span></blockquote></div><br>

Received on Saturday, 7 April 2012 02:39:33 UTC