W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Privacy and its costs (was: Re: Mandatory encryption)

From: Henry Story <henry.story@bblfish.net>
Date: Thu, 19 Jul 2012 15:29:39 +0200
Cc: Tim Bray <tbray@textuality.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <209DCCB6-735F-4EE5-9C10-A5A4424BC251@bblfish.net>
To: Martin J. Dürst <duerst@it.aoyama.ac.jp>

On 19 Jul 2012, at 02:13, Martin J. Dürst wrote:

> Hello Tim,
> On 2012/07/19 0:09, Tim Bray wrote:
>> On Wed, Jul 18, 2012 at 6:56 AM, Eliot Lear<lear@cisco.com>  wrote:
>>> This is a red herring.  The real argument is around the ability of all web
>>> servers to get certificates
>> This pattern keeps coming up.
>> A: “Privacy is good”
>> B: “No, because the technology is currently too expensive/unreliable”
>> Uh... privacy is good.  -T
> Okay, Tim, here's a challenge for you then:
> If privacy is important (I'm with you here, of course), and if privacy requires TLS (like many others on this list, I have my strong doubts, but you seem to think so), how come that your own site http://www.tbray.org/ongoing/ still uses http rather than https?
> Is the privacy of the readers of Ongoing just less important than the privacy of user of the average Web site? Or is it that you just haven't realized that was still on http?

I think in the case of Ongoing privacy is not in fact important. But security is! That is as a reader of
Ongoing I don't care at all that the articles sent by Tim are encrypted. What I do care is that the articles I receive are exactly what Tim wrote. So if Tim writes about a great camera buying experience, I want the link I receive that he put in his blog to be the one Tim intended it to be, and not be man in the middled and changed to an link to another web site. 

TLS allows null encryption in its protocol, and having that would be great. 

In fact knowing that I am on Tim's site and not on some other site ( because DNS was corrupted ) is also impportant. I want to know I am on Tim's site with the assurance of at least the same level of strength as the reliability of DNS (Which should be DNSsec)

Now we should not be critical for people because they have not implemented TLS (even with 0 encryption). Because the internet is an organic entity that grows, and just as we do not ask babies to be born bearing arms, we don't get a structure like the internet or the web to be born fully secure. It's architecture permits it to be, and now the Web is close to being 20, and it's time for it to join the army. :-)

> Why don't you actually go to the trouble of moving Ongoing to TLS, with a chained (i.e. not self-signed) certificate, and tell us how many working hours/days and how much money it took you to set it up. This may make for an interesting learning experience, and an interesting blog entry.
> [This challenge is of course also for all the other people who advocate to tie in mandatory TLS with HTTP 2.0; I just picked Tim because I know his site and I know he likes such challenges :-).]
> Regards,   Martin.
> P.S.: I have my own server for my lab (way less slick than Ongoing, I have to admit), and I have considered using https: at least about once every year, probably more. It would be the right thing to do. But the amount of time it would require from me, to set it up and to make sure it's set up correctly, is just too much.

Social Web Architect
Received on Thursday, 19 July 2012 13:30:19 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:03 UTC