- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Tue, 19 Nov 2013 14:54:28 +1300
- To: ietf-http-wg@w3.org
On 2013-11-19 13:15, Stephen Farrell wrote: > Roy, > > One request for clarification below: > > On 11/18/2013 11:39 PM, Roy T. Fielding wrote: >> On Nov 17, 2013, at 3:40 PM, Mike Belshe wrote: >>> On Sun, Nov 17, 2013 at 3:27 PM, Roy T. Fielding wrote: >>> Security is a systemic issue, not a protocol issue. There is nothing >>> secure about TLS or encryption. There are merely some use cases in >>> which the data crossing the wire can be made confidential to a given >>> set of key holders, preferably controlled by the entity to which the >>> user intends to communicate in confidence. That level of >>> confidentiality >>> is sufficient for many commerce use cases. It does not provide >>> privacy. >>> >>> Anyone who thinks adding TLS to plain HTTP will improve security, >>> let alone privacy, needs to learn how TLS gets its security. >>> Encryption is not magic pixie dust. >>> >>> So your official statement is that TLS does not improve the security >>> or privacy of HTTP? >> >> I don't make official statements. >> >> rot13 improves privacy, if what you mean by "improve" is that there >> exist some tools that do not currently read rotated clear text. >> I don't think "improves privacy" is a useful description. >> You either have privacy or you don't. > > Security is less complicated than privacy and is definitely > not a binary property. Privacy is at this point far less > well defined, so I find the last statement above quite hard > to accept. (In fact, I find it unbelievable.) However, privacy > is so ill-defined that its possible you're using some > definition that does support such a binary distinction. FWIW, > I'd be hugely surprised if there were a useful definition in > which privacy was a binary property of systems. It assumes privacy is roughly equated with anonymity. Which is what the general user population most vocal about either privacy and anonymity are also equating. Requesting "cant spy on me" as opposed to accuracy of definition for privacy. > > I suspect there's not much point in a blow by blow response > if it turns out our terminology is miles apart in that > respect, so can you provide or point at your definition of > privacy such that its a binary property of systems? I make the same point when debating anonymous proxy features with users. They have a binary choice: 0) remove datum X which is used for tracking 1) obscure/replace datum X with Y NP: What at first thought appears to be a third option "leave datum X alone" is actually the case of (1) when X==Y. So for every action taken on a single users information is exposing at minimum 1 bit of information about that user. The level of anonymity is part of their uniqueness. Doing (2) only has benefit if Y is more common than X. Thus the special case of X==Y (status quo) is the common case of most benefit. Tradoff is privacy vs security. It is exceedingly difficult to have both simultaneously. Perfect for both means being cut off from the communication channel entirely. Up to that point there is a weakest-link situation where the stronger either becomes the more vulnerable it is to holes in the other. Privacy requires that no one user can be separated from the crowd. The safest action is to take N users data and jumble it all up - invisibility/anonymity/privacy by obscurity. Encryption / signing prohibits these protection actions. TLS and similar end-to-end channels offer clear end-to-end separation of each individual clients data (albeit encrypted). Such that individual user tracking improves to near 100% capability for any Big Brother entity. Each endpoint has full tracking ability for the connection, and big brother in the middle is provided with the guarantee that all bits of the stream are present and in the sequence visible to it. Traffic which is allowed to be multiplexed by middleware becomes a far more jumbled "mess" of packets/frames across the network. The endpoints have no change to their abilities, but Big Brother in the middle has lost the guarantee of seeing everything at a single choke point, or getting it in the right order to identify an individual. It can still do that, but must cast a far wider net for less gain. High quality protection ("security", "privacy", whatever you want to call it) is best when it involves a mixture of the two approaches. Encrypting what needs to be hidden while simultaneously jumbling the critical bits amidst similar chaff from numerous other sources (on the server end) or destinations (on the client end). This is one key security property a middleware topology (dare I call it "cloud"?) offers. Amos
Received on Tuesday, 19 November 2013 01:54:54 UTC