Re: Proposal for doing unauthenticated encryption inside of HTTP/2 from Paul Hoffman on 2013-12-04 (ietf-http-wg@w3.org from October to December 2013)

From: Paul Hoffman <paul.hoffman@gmail.com>
Date: Wed, 4 Dec 2013 09:56:26 -0800
To: James M Snell <jasnell@gmail.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CAPik8yaLYqxGZit_XwGEH_bgn30RaX5SXG_Wvmrc6JieyOsrmg@mail.gmail.com>

On Wed, Dec 4, 2013 at 9:22 AM, James M Snell <jasnell@gmail.com> wrote:

> I
> firmly believe that we cannot adequately address the passive
> surveillance issue using this form of unauthenticated encryption.

Please say more about this firm belief. This affects both Mark's
redirection proposal and mine. I have never heard how unauthenticated
encryption can be broken by a passive watcher, but if you have references
to such attacks, they would be very useful here.

Received on Wednesday, 4 December 2013 17:56:53 UTC