Re: Mandatory encryption

On Wed, 2012-07-18 at 11:00 +1000, Grahame Grieve wrote:
> > +1 to what seems to be a lot of developers: make TLS mandatory.
> >
> >>  so, even when used in an internal application protocol, it's going to
> >>  be end to end
> >>  encrypted to make it super hard to debug?
> >
> > In an internal application protocol, why would it be "super hard to
> > debug"? The client can do an HTTP dump before TLS, the server can do
> > an HTTP dump after TLS; either of the sides could debug the TLS.
> 
> yep. they can. But they have to. 3rd parties are shut out. I get that in
> some circumstances this is good. But not all. As an example, I spend
> quite a bit of my time looking at browser traffic now, to debug why
> my servers or clients aren't working they way that a 3rd party
> client/server set up is. Unless it's https, in which case.... I have to find
> some other way.
> 

this is just tooling.. and there are lots of good emerging answers to
this. For firefox and chrome you can use the directions in
https://developer.mozilla.org/en/NSS_Key_Log_Format to get a "keylog"
file you can give to wireshark so it can simply decode a TLS packet
capture. Its pretty sweet.

Other tools will come along.

Received on Wednesday, 18 July 2012 13:06:41 UTC