- From: Roberto Peon <grmocg@gmail.com>
- Date: Thu, 14 Nov 2013 21:38:10 -0800
- To: Bruce Perens <bruce@perens.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAP+FsNeHtkHTK1dGz3uqYZgORiXiWmgSEnW0oUFABu8YubPf1A@mail.gmail.com>
On Nov 14, 2013 8:24 AM, "Bruce Perens" <bruce@perens.com> wrote: > > On 11/14/2013 09:49 AM, Roberto Peon wrote: >> >> There is a means of opting out, however, which exists and is widely deployed: http1 > > This isn't realistic unless the HTTP 2 specification makes support of HTTP 1 mandatory. Which of course is silly. >> >> There was near unanimity at the plenary that we should do something about pervasive monitoring > > You had a humming vote to give yourselves the new mission of curing social and political ills rather than technical ones, by inflicting a mandatory encryption requirement on everyone, everywhere? It sounds like a big over step. You are putting words in people's mouths, or at least doing some liberal coloring outside the lines. We know that there is pervasive monitoring by many disparate parties. What do you propose to do about it, or are you proposing that this is desirable? > > > Let's make this more clear and ignore the Amateur Radio issue for now. I don't wish to be forced into concealment in my normal operations on the Internet. Then don't browse any site which uses or requires https? Or, use a browser which sticks to a plaintext protocol? Why is this difficult? > > > Nor do I wish to have traffic over my personal network which I can not supervise. You should probably close off all unknown, non-plaintext ports, or install a MITM for the SSL stuff. > Unfortunately, there are a lot of operating systems and applications that I have not written which use that network. When I can't see the contents of their network traffic, it is more likely that traffic is being used to eavesdrop upon me. Surrounding that traffic with chaff by requiring encryption of _all_ HTTP traffic means that this hostile encrypted traffic will be impossible to find. Sure, there is most definitely a tradeoff between ensuring privacy across the open net and being able to look into all streams. What I don't see, however, is how you will ever have enough time to understand all of the interactions which are ongoing on your network-- steganography is just too easy, even for plaintext. > > > Thus, my security is reduced. > > >> Even were that not the case, websites are changing to https for various other reasons > > That's fine, because it's their choice or the users choice. Not yours. Yes? And what is proposed is still that... -=R > > > Thanks > > > Bruce > >
Received on Friday, 15 November 2013 05:38:38 UTC