W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: Mandatory encryption *is* theater

From: Ryan Hamilton <rch@google.com>
Date: Tue, 27 Aug 2013 16:41:48 -0700
Message-ID: <CAJ_4DfQUjd9OMbGHC1JeZ9Ek=QaK104M1JDa_wsHwpoE7cqQGQ@mail.gmail.com>
To: Tim Bray <tbray@textuality.com>
Cc: Mike Belshe <mike@belshe.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, httpbis mailing list <ietf-http-wg@w3.org>
I completely agree.  Just look at Firesheep...


On Tue, Aug 27, 2013 at 1:28 PM, Tim Bray <tbray@textuality.com> wrote:

> Yeah... we’ve had this conversation before.  But there are a lot of us who
> think that every time you turn one connection from naked to TLS, that is a
> step forward and something that we should be encouraging and facilitating
> to the degree that we can.  -T
>
>
> On Tue, Aug 27, 2013 at 12:42 PM, Mike Belshe <mike@belshe.com> wrote:
>
>> +1.  Encryption is not theater.   It raises the bar in a meaningful way.
>> On Aug 27, 2013 10:23 AM, "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
>> wrote:
>>
>>>
>>> So just chiming in generally on this thread with no hats:
>>>
>>> - I don't agree with the subject line - if done properly,
>>> turning on encryption without authentication could be useful
>>> and not simply theater - for example it could increase the
>>> cost and/or complexity (and hence likelihood of discovery)
>>> of deploying pervasive surveillance.
>>>
>>> - Done badly of course, the outcome could be theater.
>>>
>>> - I disagree that making better use of crypto might cause
>>> authorities to be more authoritarian - while that might be
>>> a reasonable position to hold for folks with a certain world
>>> view, its entirely unconvincing. I suspect that folks with
>>> that position cannot be convinced they are wrong and nor
>>> can folks who don't have that position.
>>>
>>> - I don't think this discussion should really have much to
>>> do with earlier discussions about performance or middleboxes.
>>> The WG had that discussion and this one is based on "new
>>> information" as I think Mark put it.
>>>
>>> - Some people might oversell the results of this discussion,
>>> yes, but that's always a danger and shouldn't drive the WG
>>> decision.
>>>
>>> All in all, I'd like to see more use of HTTP/TLS for
>>> confidentiality, even without origin authentication. (But
>>> that's probably no surprise:-)
>>>
>>> Cheers,
>>> S.
>>>
>>>
>>>
>>>
>>>
>
Received on Tuesday, 27 August 2013 23:42:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:15 UTC