Re: Moving forward on improving HTTP's security

I thought we already did the mandatory TLS argument to death many times.

We added MITM in WinGate mostly because Google and FB went to https.  
Google and FB you may take a bow.

Does this improve security of the web overall?  IMO no.  People can now 
snaffle banking passwords with a filter plugin.

You really want to scale this out?  How will that make it any better?

You're suggesting anyone wanting to run an http2 server now has to 
purchase, and pay for the ongoing maintenance of a cert, and take the 
cost on additional CPU to handle the load?

Organisations have to live with the pain in the neck of deploying 
signing certs to clients, dealing with visitor devices etc etc.  This = 
reduction in user experience.

So, IMO making TLS mandatory = reduced security, worse user experience, 
and increased costs.

That's progress I guess.




------ Original Message ------
From: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
To: "Willy Tarreau" <w@1wt.eu>; "Mike Belshe" <mike@belshe.com>
Cc: "William Chan (?????????)" <willchan@chromium.org>; "Tao Effect" 
<contact@taoeffect.com>; "Tim Bray" <tbray@textuality.com>; "James M 
Snell" <jasnell@gmail.com>; "Mark Nottingham" <mnot@mnot.net>; "HTTP 
Working Group" <ietf-http-wg@w3.org>
Sent: 14/11/2013 10:57:46 a.m.
Subject: Re: Moving forward on improving HTTP's security
>
>I have to agree that the logic here is hard to find.
>
>On 11/13/2013 09:54 PM, Willy Tarreau wrote:
>>  On Wed, Nov 13, 2013 at 01:23:41PM -0800, Mike Belshe wrote:
>>>  To paraphrase, you're saying:
>>>     "I don't like TLS because I use the presence of TLS to know that 
>>>I could
>>>  be hacked right now. But if you turn on TLS always, I won't be able 
>>>to
>>>  tell if I can get hacked."
>>
>>  Huh ? No. I mean "The TLS model is fine for me as long as it's used 
>>where
>>  needed and if it's not abused because I expect all actors in the 
>>chain to
>>  care about security". Let's ensure we don't break that weak link from 
>>the
>>  root CAs to me by making its use mandatory for all no-value stuff 
>>that
>>  nobody cares about and which will make it normal for everyone to 
>>deploy
>>  broken configs and rogue CAs everywhere for the sake of simplicity.
>
>Break the link by making it mandatory sounds like wild supposition.
>
>S
>
>>
>>>  To summarize:
>>>    1) You're happy with the security you get with TLS to Paypal now
>>>    2) You're unhappy with that same security (TLS) enforced 
>>>everywhere
>>>  because it is suddenly less secure.
>>
>>  Exactly.
>>
>>>  This is also illogical. We're not changing TLS.
>>
>>  Yes you are. You're not changing the protocol but the economics and
>>  the actors' motives to deliver certs the proper way. When certs are
>>  needed to connect to my printer, I doubt I'll have to order a new
>>  cert every year to connect to it once every 3 years at most to change
>>  its IP address. Instead the manufacturer will want a 10 years cert,
>>  and since he won't be able to get that, some CAs will start to offer
>>  this (possibly at a high price). We'll possibly find it much easier
>>  and cheaper to become a valid CA and to issue certs for anyone. I'm
>>  sorry but the day I can issue a paypal cert myself and have my 
>>browser
>>  accept it without me having to do anything with its configuration, 
>>I'll
>>  start to get a little bit scared.
>>
>>  Right now it's simple : TLS is annoying to deploy so you do it where
>>  it matters. It can be free but at least it requires some care and you
>>  are willing to accept that for the sites you value. Once you don't
>>  value anymore the certs you are installing and users start to do 
>>wrong
>>  things such as clicking 100 times a day "Ignore this cert error" 
>>because
>>  everyone uses crappy certs, the TLS model will be useless.
>>
>>  Willy
>>
>>
>>
>>
>

Received on Wednesday, 13 November 2013 22:36:50 UTC