W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: Who to trust?

From: Greg Wilkins <gregw@intalio.com>
Date: Tue, 24 Jun 2014 12:23:48 +0200
Message-ID: <CAH_y2NF=joZyM+yKMw-_dM8CfsruaukBGwOXcL000JYdJfX4HA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Frode Kileng <frodek@tele.no>, HTTP Working Group <ietf-http-wg@w3.org>
On 24 June 2014 01:42, Martin Thomson <martin.thomson@gmail.com> wrote:

> Instead, I place my trust in things like TLS, which in turn places trust
> in the
> cryptography community, etc...  That's more than risky enough for me.
>

I think we too often make the error of representing that encryption ==
security && encryption == privacy.

Users trust the little lock symbol in their browsers so they do their
online banking and other financial translations.

The recent attacks on TLS+gzip and the whole NSA snooping thing shows the
value of meta-data and encryption of HTTP does not well hide very much meta
data.    Observers of encrypted traffic still know to whom, when and how
much traffic is sent.    In many cases that is sufficient to work out what
content has been downloaded (ie with encryption your employer will still
know you are watching youtube videos, and size will probably give them a
reasonable guess at which ones!)

User do extend trust to sites like google to not abuse content they can
decrypt.

I don't think it is a huge leap to consider having trusted proxies in the
web of trust that we create - I just think that we have to be cautious to
not over- represent any of our connections as truly secure.  I think true
security is outside the scope of http WG and we need to find language that
describes what level of protection we can offer.

For example, if we do have trusted proxies, it would be good to still have
some end to end encryption so your employer can't see your online banking
password.

cheers






-- 
Greg Wilkins <gregw@intalio.com>
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com  advice and support for jetty and cometd.
Received on Tuesday, 24 June 2014 10:24:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:31 UTC