Re: Mandatory encryption from Willy Tarreau on 2012-07-18 (ietf-http-wg@w3.org from July to September 2012)

From: Willy Tarreau <w@1wt.eu>
Date: Wed, 18 Jul 2012 08:09:36 +0200
To: Phillip Hallam-Baker <hallam@gmail.com>
Cc: Paul Hoffman <paul.hoffman@gmail.com>, grahame@healthintersections.com.au, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <20120718060936.GC5875@1wt.eu>

On Tue, Jul 17, 2012 at 09:22:24PM -0400, Phillip Hallam-Baker wrote:
> -1
> 
> I don't want to have a mandatory requirement unless it is going to
> change behavior.
> 
> We already have ubiquitous deployment of TLS in browsers. The code is
> freely available, everyone knows the benefit.
> 
> The only HTTP servers or clients I am aware of that don't have TLS
> support are either toolsets that the provider expects to be used with
> OpenSSL or the like and embedded systems.
> 
> Incidentally, suport for IPSEC is mandatory in IPv6 but that does not
> seem to do any good either. It just means that IPv6 is harder to
> deploy as implementations are required to support a security layer
> almost nobody uses as TLS has proved better.

The issue with HTTP/2 will indeed be the same as with IPv6 : HTTP/2 will
be deployed between the browser and the load balancer, and everything
behind will remain HTTP/1 due to the added nuisances of deploying 2.0
everywhere. Almost nobody does IPv6 between LB and server nowadays, it's
added cost for no benefit.

This will force us to continue to support the crappy parsers of 1.1
forever and not to have MUX between the LB and the server, and that's
precisely the situation I'd like to avoid, by having a protocol which
*supports* more privacy but does not impose it where it's not expected.

> Making TLS a mandatory requirement seems like a feelgood approach to
> security to me. Instead of doing something useful, we pass a
> resolution telling people to do what they plan to do anyway.

Agreed. As I already said multiple times, sensible services requiring
privacy are already secured by TLS and it does not save them from being
tampered. But with TLS everywhere, we'll make the situation worse by
accustoming users to click all the day on "I accept the risks..." when
connecting to most of the poorly managed sites including the self-signed
equipments they run at home.

I'm really against making such a thing mandatory because it will only
improve privacy on a few services which actually do not need it and will
globally deteriorate the overall security by lowering the level of control
of users.

Willy

Received on Wednesday, 18 July 2012 06:10:04 UTC