W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: Adding Security Considerations regarding interception to p1

From: Eliot Lear <lear@cisco.com>
Date: Wed, 18 Sep 2013 20:30:52 +0200
Message-ID: <5239F15C.9000408@cisco.com>
To: Werner Baumann <werner.baumann@onlinehome.de>
CC: ietf-http-wg@w3.org

If we're going to maintain privacy considerations, let's create a
separate section.  But let's also not make this a treatise on HTTP and
privacy issues.  They are all quite well documented elsewhere (albeit
not entirely in the IETF RFC series).


On 9/18/13 8:24 PM, Werner Baumann wrote:
> I don't like the proposed text at all. It proposes TLS as sole and
> efficient means to protect privacy. That's wrong for different reason:
> - TLS does not help against collecting and analyzing connection
>   data, which is an important and dangerous part of the actions of
>   governmental surveillance organizations.
> - TLS does not help against data collection conducted by providers of
>   internet services, which is an equal important threat to end user's
>   privacy.
> - The text only considers passive interception and man in the middle
>   attacks and claims that TLS can mitigate the danger. It does not deal
>   with MITM attacks on TLS-traffic which is known to happen. It ignores
>   that TLS (at the moment) completely depends on the trustworthiness of
>   CAs. But there is nobody who could tell for sure that these CAs are
>   trustworthy. Quite the contrary. We have learned recently that even
>   big companies seem to be quite defenseless when governments request
>   their users data.
> - It only comes up with proposals what servers should do. But it would
>   be even more important to talk about what end users can do and what
>   vendors of HTTP-clients should do to help end users in this (and
>   what most browser vendors don't).
> Discussion of security threats and measures against them is important.
> But it should be done seriously. Ritually promoting the
> one-size-fits-none security of TLS does not help.
> Werner 
Received on Wednesday, 18 September 2013 18:31:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:15 UTC