- From: Willy Tarreau <w@1wt.eu>
- Date: Thu, 14 Nov 2013 00:16:26 +0100
- To: Mike Belshe <mike@belshe.com>
- Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "William Chan (?????????)" <willchan@chromium.org>, Tao Effect <contact@taoeffect.com>, Tim Bray <tbray@textuality.com>, James M Snell <jasnell@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Nov 13, 2013 at 02:32:19PM -0800, Mike Belshe wrote: > Look, we've had this debate time and time again and its always the people > with vested interests that are against TLS. I have yet to hear from a > single person that is against TLS who isn't either a hacker, a government > agent, or a seller of software which relies on unsecured traffic. Not one. > Actually, the hackers don't care that much. Mike, please stop saying I'm "against TLS", you sound like you don't read or don't understand. I'm "for TLS" but "not for everything". And I'm in neither category either. > I do hear what you're writing, that you think use of more TLS will somehow > cripple existing TLS, but you're ignoring that it is hackable now... No I don't ignore it. And I also know it's not the biggest weakness of the Web right now either (mobile code in the form of malware is doing a lot more harm than TLS). But at least we can still educate people for not blindly clicking on "I accept the risk" all the day when they do this, and instead teach them to read the details and accept or not depending on what they see and the importance of the site they're visiting (eg: if forums.foo.com presents a cert saying www.foo.com, and you're just looking for some hints to configure your graphics driver, probably you don't mind about the warning). Having them do so 1-3 times a day is probably acceptable. Doing it 10 times more because the vast majority of the sites that will be forced to migrate to TLS will have no interest in it and will not take care of doing it right is a big problem. > Our use of it doesn't change that. For sure. So let's insist on something that you say yourself is already hackable before we even have anything solid to base the design on ? Your reasoning sounds strange to me (we'll use TLS only for HTTP/2 because it's hackable so for sure it will improve). > Despite shortcomings, we do need to raise the bar - there is real, > documented evidence of that. I agree with that as well. My conviction is that doing what you plan to do will not raise the bar at all but will put it on the floor. We're allowed to disagree, we've had that conversation many times and at least we're consistent. It's a matter of beliefs, just like people have political opinions or religions. > And TLS will evolve too, and we (http) will evolve with it. Great, so let's see it evolve first. Willy
Received on Wednesday, 13 November 2013 23:16:59 UTC