- From: Willy Tarreau <w@1wt.eu>
- Date: Fri, 15 Nov 2013 08:15:05 +0100
- To: Roberto Peon <grmocg@gmail.com>
- Cc: Bruce Perens <bruce@perens.com>, HTTP Working Group <ietf-http-wg@w3.org>
Hi Roberto, On Thu, Nov 14, 2013 at 09:38:10PM -0800, Roberto Peon wrote: > We know that there is pervasive monitoring by many disparate parties. > > What do you propose to do about it, or are you proposing that this is > desirable? A quick point here, yes there is this monitoring and yes we'd like to get rid of it. But it seems amazing to me to see that people forget the most important part : the only value of the information to collect is on HTTPS and this monitoring happens mostly on HTTPS. End users' gmail accesses get sniffed and have been for a while now in certain countries. To the best of my knowledge, gmail is https-only, right ? So by migrating all non-important web sites from HTTP to HTTPS, we won't fix this, at most we'll add more noise to the sniffers, except that it's trivial to pick the domains or addresses they're interested in. Again, the only short-term *fix* to this situation is to make the user aware of what's happening. The UI could display in real time at the bottom of the page the name of the cert issuer for example. And we must make it impossible to click through "I accept the risk" since it provides no additional security over plain-text. Best regards, Willy
Received on Friday, 15 November 2013 07:15:30 UTC