- From: Matthew Kerwin <matthew@kerwin.net.au>
- Date: Wed, 18 Dec 2013 11:43:26 +1000
- To: Patrick McManus <pmcmanus@mozilla.com>
- Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
- Message-ID: <CACweHNBm-EH8GLJM+=SX+FL-BR4ML5qBKje6d1qt1rrtAh1fbg@mail.gmail.com>
On 18 December 2013 11:25, Patrick McManus <pmcmanus@mozilla.com> wrote: > > On Tue, Dec 17, 2013 at 6:50 PM, Matthew Kerwin <matthew@kerwin.net.au>wrote: > >> >> For example, I don't particularly need any of the CC-* content on my >> website to be encrypted (it's free for everyone to read), >> > > The act of consuming public information requires different protection than > the information itself because it concerns both the information and the > consumer. The obvious argument is the public library - there are no secrets > in the stacks, but the transaction records of a patron's account are held > to a different standard. > If people are that worried about Super Spies seeing that they requested X documents from my website, including Y HTTP headers, from Z address, then they don't _have_ to visit my site. Or, if I'm offering TLS and they are happy with the processing overhead of en/decrypting the entire communication* then that's an option.** * coming back to my understanding that decrypting the entire thing is pretty expensive, but calculating a checksum/hash and decrypting that is cheaper. If that's an incorrect assumption then please correct me. ** currently my entire site is HTTP-only, because my hosts don't even offer a TLS option unless I pay a somewhat exorbitant amount to upgrade to a "web commerce" plan, because only "web commerce" people want HTTPS apparently. Per Martin's suggestion I think I'll take this conversation off the list now, so as not to add noise over the more important issues. If I have any further questions, or come up with a good proposal, I'll come back with it. Cheers -- Matthew Kerwin http://matthew.kerwin.net.au/
Received on Wednesday, 18 December 2013 01:43:55 UTC