- From: Greg Wilkins <gregw@intalio.com>
- Date: Tue, 24 Jun 2014 12:23:48 +0200
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Frode Kileng <frodek@tele.no>, HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAH_y2NF=joZyM+yKMw-_dM8CfsruaukBGwOXcL000JYdJfX4HA@mail.gmail.com>
On 24 June 2014 01:42, Martin Thomson <martin.thomson@gmail.com> wrote: > Instead, I place my trust in things like TLS, which in turn places trust > in the > cryptography community, etc... That's more than risky enough for me. > I think we too often make the error of representing that encryption == security && encryption == privacy. Users trust the little lock symbol in their browsers so they do their online banking and other financial translations. The recent attacks on TLS+gzip and the whole NSA snooping thing shows the value of meta-data and encryption of HTTP does not well hide very much meta data. Observers of encrypted traffic still know to whom, when and how much traffic is sent. In many cases that is sufficient to work out what content has been downloaded (ie with encryption your employer will still know you are watching youtube videos, and size will probably give them a reasonable guess at which ones!) User do extend trust to sites like google to not abuse content they can decrypt. I don't think it is a huge leap to consider having trusted proxies in the web of trust that we create - I just think that we have to be cautious to not over- represent any of our connections as truly secure. I think true security is outside the scope of http WG and we need to find language that describes what level of protection we can offer. For example, if we do have trusted proxies, it would be good to still have some end to end encryption so your employer can't see your online banking password. cheers -- Greg Wilkins <gregw@intalio.com> http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales http://www.webtide.com advice and support for jetty and cometd.
Received on Tuesday, 24 June 2014 10:24:15 UTC