- From: patrick mcmanus <pmcmanus@mozilla.com>
- Date: Wed, 28 Mar 2012 23:59:06 +0200
- To: ietf-http-wg@w3.org
On 3/28/2012 11:42 PM, Willy Tarreau wrote: > > Not necessarily but similarly we don't necessarily want to decide for > the users that they need privacy where that really does not make sense > for them. If you have a widget on your TV displaying a beautiful clock > which looks nice in your living room, you don't care a dime that the > time of day is retrieved over HTTP and that someone else can see the > time you're seeing. You might care that someone else knows that you are seeing it (and are therefore present and watching your tv). Domestic violence prevention advocates care about this stuff a lot - TLS makes it better without completely fixing it. (i.e. you can see that there is some activity but you might not be able to distinguish from other less identifying automatic activity, or cannot associate it with a cookie that would tell you who was using what appliance, etc..) the content provider is in no position to make this decision about the user's privacy and is certainly not incented to care. I want to build a web that at least mitigates passive sniffing attacks - we can do that now. The state of things when we make security optional is just embarrassing.
Received on Wednesday, 28 March 2012 21:59:46 UTC