- From: Werner Baumann <werner.baumann@onlinehome.de>
- Date: Wed, 18 Sep 2013 20:24:12 +0200
- To: ietf-http-wg@w3.org
I don't like the proposed text at all. It proposes TLS as sole and efficient means to protect privacy. That's wrong for different reason: - TLS does not help against collecting and analyzing connection data, which is an important and dangerous part of the actions of governmental surveillance organizations. - TLS does not help against data collection conducted by providers of internet services, which is an equal important threat to end user's privacy. - The text only considers passive interception and man in the middle attacks and claims that TLS can mitigate the danger. It does not deal with MITM attacks on TLS-traffic which is known to happen. It ignores that TLS (at the moment) completely depends on the trustworthiness of CAs. But there is nobody who could tell for sure that these CAs are trustworthy. Quite the contrary. We have learned recently that even big companies seem to be quite defenseless when governments request their users data. - It only comes up with proposals what servers should do. But it would be even more important to talk about what end users can do and what vendors of HTTP-clients should do to help end users in this (and what most browser vendors don't). Discussion of security threats and measures against them is important. But it should be done seriously. Ritually promoting the one-size-fits-none security of TLS does not help. Werner
Received on Wednesday, 18 September 2013 18:24:49 UTC