- From: Willy Tarreau <w@1wt.eu>
- Date: Wed, 20 Nov 2013 02:23:42 +0100
- To: Mike Belshe <mike@belshe.com>
- Cc: httpbis mailing list <ietf-http-wg@w3.org>
On Tue, Nov 19, 2013 at 09:00:22AM -0800, Mike Belshe wrote: > People do die because of unencrypted HTTP. I'm not sure how many > governments have to get caught before you'll agree with this fact. From > from Iran to China to the US, this is widespread. I'd be interested if anybody knows the ratio of gmail accounts that were snooped from cleartext vs those snooped on https. And it's certainly valid for facebook and many other webmails and social networks used in revolutions. I'd be inclined to believe that at least some of the ones above do not provide any clear text access. So OK you *believe* that doing it your way will make it more difficult for the snoopers, but it can even be the opposite. If the deployed technology is 100% focused on TLS right now for whatever reason (eg: only filters on the SNI to decide if they capture or not), you could even have it reversed with cleartext passing through undetected. I'm not saying this is necessary the case, Mike. I'm just saying that gratuitous claims such as "TLS will raise the bar" are gratuitous, especially in an era where most useful information already circulates over TLS and is stolen there (and more commonly inside the browser because it's the best place for this). Willy
Received on Wednesday, 20 November 2013 01:24:08 UTC