- From: Greg Wilkins <gregw@intalio.com>
- Date: Mon, 6 Aug 2012 11:44:33 +1000
- To: ietf-http-wg@w3.org
On 31 July 2012 14:43, Mike Belshe <mike@belshe.com> wrote: > > > On Wed, Jul 18, 2012 at 8:23 PM, Tim Bray <tbray@textuality.com> wrote: >> >> Fair point; I should. -T > > > Yeah, belshe.com should too :-) > Mike, I don't understand the benefit of encrypting traffic to/from a public blog site? There is no privacy obtained by doing so. If I can see somebody on my network make a connection to belshe.com, then I can go browse that site myself and see all the content that the encrypted connection has available to it. By looking at the dates and sizes of the data transfers, I can make a pretty good estimate of the pages that the encrypted connection has accessed. TLS provides little privacy in this situation as I will know who the client connected to, what they saw and when they saw it. Even if the browser pushes content, for a blog site that is more often than not a comment, so that will get published as well and again size/date matching can be very effective at working out who said what. If privacy is a necessary attribute of HTTP/2.0, then we will have to prevent direct connections to servers and all traffic will need to go via anonymous proxy services. There may well be good arguments for having confidential content as the default for HTTP/2.0, but privacy is not one of them. cheers -- Greg Wilkins <gregw@intalio.com> http://www.webtide.com Developer advice and support from the Jetty & CometD experts.
Received on Monday, 6 August 2012 01:45:00 UTC