Re: The TLS hammer and resource integrity from patrick mcmanus on 2012-03-28 (ietf-http-wg@w3.org from January to March 2012)

From: patrick mcmanus <pmcmanus@mozilla.com>
Date: Wed, 28 Mar 2012 13:59:30 +0200
To: ietf-http-wg@w3.org
Message-ID: <4F72FD22.3020106@mozilla.com>

Martin, Great post. Thanks for the time it took to do it.

On 3/28/2012 6:14 AM, Martin Thomson wrote:
> On 28 March 2012 05:55, Martin Thomson<martin.thomson@gmail.com>  wrote:
>> Today, the only option we have available to deal with this problem is
>> TLS.  And along with our integrity (and source authentication), we
>> also get confidentiality.  This is occasionally desirable, but
>> frequently, it is merely consequential.

I disagree pretty strongly that confidentiality is not a core desirable 
property for the web. I also lament that TLS only improves the situation 
partially.

Later in this thread Willy cites ad content as something that does not 
need confidentiality, but that would be a perfect exemplar imo of 
something that certainly does. The targetted ads a user receives 
disclose a great deal of information about you. The cookie that 
generates that ad lets a purely passive sniffer generate N more ads when 
captured, and the aggregate set of targetted ads paints an extensive 
invasion of privacy picture.

The notion that consumers of adult content don't care that their 
activities are broadcasts in detail to their friends and family is 
bizarre to me.  The great demand for various "private browsing" features 
in browsers are testament to this history.

I don't have a real objection to another closely related protocol that 
isn't for the web (and therefore not implemented by phones, browsers, 
etc..) but runs over IP that excludes some of this. But optionality 
isn't going to work as I think the current state of things illustrates well.
>> The separation of resource integrity from communication
>> integrity/confidentiality is something that I know others have been
>> thinking about.  I'd like to see this discussed in HTTP/2.0.

I think this is a fine work item (and good idea!) for supporting the 
transition of mixed http/1 http/2 environments (and likely interesting 
in http/2 environments that aren't e2e secured) which clearly has to be 
part of the plan - mixed content is terrible, under-appreciated as a 
risk,  and should be a first tier concern. But resource integrity isn't 
the _only_ thing to worry about.

Received on Wednesday, 28 March 2012 11:59:59 UTC