- From: Greg Wilkins <gregw@intalio.com>
- Date: Thu, 26 Jul 2012 11:13:49 +1000
- To: ietf-http-wg@w3.org
On 20 July 2012 02:05, Tim Bray <tbray@textuality.com> wrote: > No, privacy is important. There are things on my blog that people in > certain situations could get in trouble just for reading. I should > offer privacy, and it’s a failure on my part that I don’t. -T Privacy is important. But I think HTTP/2.0 has to be vary careful about what it promises with regards to privacy as it is not just content that can get readers into trouble. It is possible to infer a lot of private information even from encrypted traffic, just from where it is directed and even when it is sent. Seeing a connection from a work computer to a TSFW server is going to get the reader in trouble no matter if the content is encrypted or not... it may even get them into worse trouble as imaginations can fill in the content. Also consider a Server using some HTTP/2.0 push feature to push out stock market prices as they change and users can have a custom portfolio of stocks that they can watch. It can be very valuable information to know what stocks a top trader has in their portfolio, so if you sniff packets on their network, it does not matter that the contents are encrypted, because over a period you can correlate the time that they receive encrypted packets with known fluctuations of stock prices and thus work out the contents of their portfolio. In the same way, you can match traffic to/from gmail to posts on forums and mailing lists and infer authors and subscribers on your local network. You can even determine lengths of passwords and other information that can assist with breaking security. Privacy is important, I just don't think it is something that we can truly provide simply by encrypting the transport layer. So there is a danger in over promising to say that HTTP/2.0 will be TLS for reasons of privacy. regards -- Greg Wilkins <gregw@intalio.com> http://www.webtide.com Developer advice and support from the Jetty & CometD experts.
Received on Thursday, 26 July 2012 01:14:18 UTC