- From: Mike Belshe <mike@belshe.com>
- Date: Thu, 14 Nov 2013 22:01:10 -0800
- To: Bruce Perens <bruce@perens.com>
- Cc: httpbis mailing list <ietf-http-wg@w3.org>
- Message-ID: <CABaLYCte+2TBMOGvkKDVLX_h==9uWq773=8UpXRXBbWQ7hDWBA@mail.gmail.com>
On Thu, Nov 14, 2013 at 10:23 AM, Bruce Perens <bruce@perens.com> wrote: > On 11/14/2013 09:49 AM, Roberto Peon wrote: > > There is a means of opting out, however, which exists and is widely > deployed: http1 > > This isn't realistic unless the HTTP 2 specification makes support of HTTP > 1 mandatory. Which of course is silly. > > There was near unanimity at the plenary that we should do something about > pervasive monitoring > > You had a humming vote to give yourselves the new mission of curing social > and political ills rather than technical ones, by inflicting a mandatory > encryption requirement on everyone, everywhere? It sounds like a big over > step. > > > Let's make this more clear and ignore the Amateur Radio issue for now. I > don't wish to be forced into concealment in my *normal operations on the > Internet.* > > > Nor do I wish to have traffic over my personal network which I can not > supervise. Unfortunately, there are a lot of operating systems and > applications that I have not written which use that network. When I can't > see the contents of their network traffic, it is more likely that traffic > is being used to eavesdrop upon me. *Surrounding that traffic with chaff > by requiring encryption of _all_ HTTP traffic means that this hostile > encrypted traffic will be impossible to find.* > > > Thus, my security is reduced. > > > Even were that not the case, websites are changing to https for various > other reasons > > That's fine, because it's their choice or the users choice. Not yours. > Bruce - I'm not going to win you over. But I will try anyway. Let's split this into two questions: 1) Should we be striving for more communications privacy and security in HTTP at all? 2) Is mandatory security a good step toward that goal? 3) Is TLS a good step toward that goal? Regarding #1: General users can't tell when they should expect have security on or off. Many security usability studies have shown this. Regardless of how you feel about TLS or encryption or authentication, you probably agree that in general, we should make the internet "just work" for people without them having to know, "gee, is this security level the right one for me?" I've spent a lot of time researching this, as have many others on this list. Our conclusion is that the only way to help them is to have everything encrypted all the time. The details of 128bit keys/certificate expiration/server authenticated/TLS1.0/blah blah blah are subtleties that Internet users today can't be expected to understand before going online. This is very different from HTTP of yesteryear. The malware present, the bad actors present, and the volume of users online without strong technical depth have radically changed since HTTP/1.1 was drafted 15 years ago. Hopefully we agree that HTTP should be doing this and can stop debating "but I want my open network for me in my house". You're an expert. You can figure something out that you like, no matter what protocol choices we make. Regarding #2: A lot of us on this list have studied HTTP and security and how to protect general internet users today. Our conclusion is that the only way to protect them is to have security on all the time. Users can't be expected to differentiate when it is the right level - it needs to always be the right level. And the website operators, they don't know what a given user needs to encrypt/make private/secure either. There are obvious cases, like banking info, where it is clear we all want to encrypt. But other cases, this is gray. The only answer which always works is to simply encrypt all the time. I'm not really open to counter proposals on this - we've been researching this and come to this conclusion slowly and deliberately over the last 10 years. Regarding #3: TLS is not as easy as it could be. I agree. This is in part because we allow website owners that are technical enough to deploy TLS to not do so. Its also an aging system that is in need of an update. It will get addressed. But it is far better than nothing. MITM is happening already, so we don't have to worry about instigating that. But to accomplish #1 and #2 above, we need to start taking steps to protect the users. We can't improve the security in HTTP until we agree to PUT some basic security into HTTP. And right now, the only option on the table to do so is TLS. It'll be a little painful. It won't be for everyone, and a few sites will opt to keep with HTTP/1.1, just like 10 years ago when a few devices/sites decided to keep with HTTP/1.0. It will be 15 years before we get to take another shot at HTTP to add security into it. The timing is literally do it now, or for a lot of us on this list, not in our lifetimes... Mike > > Thanks > > > Bruce > >
Received on Friday, 15 November 2013 06:01:37 UTC