- From: Eliot Lear <lear@cisco.com>
- Date: Wed, 18 Sep 2013 20:30:52 +0200
- To: Werner Baumann <werner.baumann@onlinehome.de>
- CC: ietf-http-wg@w3.org
Proposal: If we're going to maintain privacy considerations, let's create a separate section. But let's also not make this a treatise on HTTP and privacy issues. They are all quite well documented elsewhere (albeit not entirely in the IETF RFC series). Eliot On 9/18/13 8:24 PM, Werner Baumann wrote: > I don't like the proposed text at all. It proposes TLS as sole and > efficient means to protect privacy. That's wrong for different reason: > > - TLS does not help against collecting and analyzing connection > data, which is an important and dangerous part of the actions of > governmental surveillance organizations. > > - TLS does not help against data collection conducted by providers of > internet services, which is an equal important threat to end user's > privacy. > > - The text only considers passive interception and man in the middle > attacks and claims that TLS can mitigate the danger. It does not deal > with MITM attacks on TLS-traffic which is known to happen. It ignores > that TLS (at the moment) completely depends on the trustworthiness of > CAs. But there is nobody who could tell for sure that these CAs are > trustworthy. Quite the contrary. We have learned recently that even > big companies seem to be quite defenseless when governments request > their users data. > > - It only comes up with proposals what servers should do. But it would > be even more important to talk about what end users can do and what > vendors of HTTP-clients should do to help end users in this (and > what most browser vendors don't). > > Discussion of security threats and measures against them is important. > But it should be done seriously. Ritually promoting the > one-size-fits-none security of TLS does not help. > > Werner > > >
Received on Wednesday, 18 September 2013 18:31:39 UTC