Re: Mandatory encryption

> +1 to what seems to be a lot of developers: make TLS mandatory.
>
>>  so, even when used in an internal application protocol, it's going to
>>  be end to end
>>  encrypted to make it super hard to debug?
>
> In an internal application protocol, why would it be "super hard to
> debug"? The client can do an HTTP dump before TLS, the server can do
> an HTTP dump after TLS; either of the sides could debug the TLS.

yep. they can. But they have to. 3rd parties are shut out. I get that in
some circumstances this is good. But not all. As an example, I spend
quite a bit of my time looking at browser traffic now, to debug why
my servers or clients aren't working they way that a 3rd party
client/server set up is. Unless it's https, in which case.... I have to find
some other way.

>>  http is about more than users using
>>  web browsers.
>
> Completely true, and not relevant. Insecure HTTP for non-browser
> applications still has the same bad properties, no?

but a much wider deployment context, and much harder to work with

Grahame

Received on Wednesday, 18 July 2012 01:00:43 UTC