Re: authenticated unencrypted

On 18 December 2013 11:25, Patrick McManus <> wrote:

> On Tue, Dec 17, 2013 at 6:50 PM, Matthew Kerwin <>wrote:
>> For example, I don't particularly need any of the CC-* content on my
>> website to be encrypted (it's free for everyone to read),
> The act of consuming public information requires different protection than
> the information itself because it concerns both the information and the
> consumer. The obvious argument is the public library - there are no secrets
> in the stacks, but the transaction records of a patron's account are held
> to a different standard.

If people are that worried about Super Spies seeing that they requested X
documents from my website, including Y HTTP headers, from Z address, then
they don't _have_ to visit my site.  Or, if I'm offering TLS and they are
happy with the processing overhead of en/decrypting the entire
communication* then that's an option.**

* coming back to my understanding that decrypting the entire thing is
pretty expensive, but calculating a checksum/hash and decrypting that is
cheaper.  If that's an incorrect assumption then please correct me.

** currently my entire site is HTTP-only, because my hosts don't even offer
a TLS option unless I pay a somewhat exorbitant amount to upgrade to a "web
commerce" plan, because only "web commerce" people want HTTPS apparently.

Per Martin's suggestion I think I'll take this conversation off the list
now, so as not to add noise over the more important issues.  If I have any
further questions, or come up with a good proposal, I'll come back with it.

  Matthew Kerwin

Received on Wednesday, 18 December 2013 01:43:55 UTC