W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2014

Re: Fwd: IAB Statement on Internet Confidentiality

From: Willy Tarreau <w@1wt.eu>
Date: Mon, 17 Nov 2014 20:06:21 +0100
To: Phillip Hallam-Baker <phill@hallambaker.com>
Cc: Mike Belshe <mike@belshe.com>, Poul-Henning Kamp <phk@phk.freebsd.dk>, Roland Zink <roland@zinks.de>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <20141117190621.GC14542@1wt.eu>
On Mon, Nov 17, 2014 at 01:29:19PM -0500, Phillip Hallam-Baker wrote:
> I think that the outcome will be as follows:
> 1) Mandate use of TLS with HTTP.
> 2) Decide that using 'full TLS' is too much inconvenience.
> 3) Browsers race to the bottom weakening the TLS security model to
> meet the mandate
> 4) Bad TLS drives out the good.
> 5) Net reduction in security.

Also do not forget the disruptive impact on transparent caches
everywhere. Mobile phone operators are currently applying caches
to "enhance your experience" (in fact reduce their BW costs), and
doing so on HTTP only is still fine given that https-only traffic
is minimal today. When they'll see their external bandwidth grow
10-fold they'll start to aggressively decipher HTTPS to cache HTTPS
traffic as well. For them it's trivial, they just have to install
their root CA into each smartphone they sell. And at this point
none of the "secure" sites will be secure anymore at these places.

I've long said that trying to put https everywhere is pointless
until there's a reliable and clean method for letting trusted
proxies access the clear text (the famous "GET https://" we've
been talking about for years). Until this happens, people will
have to keep in mind that the internet is driven by economics,
not by ideology.

Received on Monday, 17 November 2014 19:06:49 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:47 UTC