Re: A proposal from Michael Sweet on 2013-11-19 (ietf-http-wg@w3.org from October to December 2013)

From: Michael Sweet <msweet@apple.com>
Date: Tue, 19 Nov 2013 09:38:44 -0500
To: Mike Belshe <mike@belshe.com>
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, HTTP Working Group <ietf-http-wg@w3.org>
Message-id: <66CDA00C-8806-488E-912A-03C09D749281@apple.com>

Mike,

On Nov 19, 2013, at 5:28 AM, Mike Belshe <mike@belshe.com> wrote:
> ...
> I am not sure what the next 10 years will bring.  But I am certain it will bring many incidents where we'll be able to look back and say, "hmmm... if we had put TLS in HTTP by default, that might not have happened."
>  
> People don't die because we did put in TLS.  They only die if we don't.

I know you are trying to be dramatic here, but I don't think "think of the children" arguments have any place here.

We can say we have an ethical obligation to support greater confidentiality/third-party privacy in HTTP (whatever version is used).  We can even say that TLS is one tool for the job that can make it harder for third parties to casually collect information about a person that is accessing a particular web site, and increased usage of https:// for web sites that store and/or provide Personally Identifying Information (PII) and/or other sensitive information is both recommended and useful.

But to dramatically state that adding TLS will prevent deaths is both technically inaccurate (TLS is only one piece of a much bigger set of changes that are needed, and technology is only one tool used by oppressive regimes) and does not convince me in the least - in fact, if I was a paranoid person it would have the opposite effect - why are you so focused on TLS, what have you to gain, etc.

I think it is important to recognize that we *cannot* secure the Internet, we can only make it harder for "the bad guys" to figure out what "the good guys" are doing.  But in doing so we also need to balance security against what "the good guys" need to know to protect other "good guys" from "the bad guys" (malware filtering, etc.)

Finally, I think it is a mistake to tie improved security/confidentiality/privacy to HTTP/2. It will take a while for ISPs, web sites, browsers, and proxy vendors to properly support HTTP/2, and everything we have talked about WRT TLS and HTTP/2 (minus maybe TLS-encrypted message bodies) applies equally to HTTP/1.x.  Clearly there are recommendations that we can make today (best practices, deployment strategies, etc.) to provide a "safer" web browsing experience.

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

Received on Tuesday, 19 November 2013 14:39:23 UTC