Re: Pervasive encryption: Pro and contra

On Sun, Nov 17, 2013 at 12:03 PM, Poul-Henning Kamp <phk@phk.freebsd.dk>wrote:

> In message <
> CABaLYCtyuvjX+VwmUXcA9cCr6E0_fCS+fUWfruC9cQaAGvX_ew@mail.gmail.com>
> , Mike Belshe writes:
>
> >No, this is a pro not a con.  It is unethical for us to ship unsecure
> >software.   http without tls is fundamentally below the bar of basic,
> known
> >best practices.
>
> Bull-shit.
>

You're missing the point, PHK.  Someone added a "con" to the list that it
is somehow unethical to use TLS.  I disagree with that opinion, and was
simply countering it with a bit of sarcasm.

I doubt we have agreement on what is ethical or not in this protocol with
relation to using TLS.  But in my opinion, it is definitely not unethical
to encrypt the protocol.  There are plenty of protocols and applications
that encrypt without your choice.

So I propose we drop these silly opinion statements from the pro/con list.

The only difference between us, PHK, is that you're advocating a POLICY of
opt-in security. I'm advocating a POLICY of opt-out.  Neither of us is
proposing taking away TLS nor taking away unencrypted HTTP.

Mike




>
> It may be below your personal political point of view, but I have
> yet to hear one single porn-site say that lack of encryption is
> below their standard.
>
> That's only funny until you remember that they and they move about
> 30% of the HTTP bytes on the net.
>
> Furthermore, television is being "de-cabled" and I have yet to hear
> any of them wanting to first expend effort on DRM encryption and then
> wrap that in an extra layer of encryption because it would be
> "below the bar" for somebodys "best practice".
>
> HTTP/2 is a protocol Mike, it is not a policy.
>
>
> --
> Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
> phk@FreeBSD.ORG         | TCP/IP since RFC 956
> FreeBSD committer       | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by incompetence.
>