- From: Willy Tarreau <w@1wt.eu>
- Date: Mon, 17 Nov 2014 20:06:21 +0100
- To: Phillip Hallam-Baker <phill@hallambaker.com>
- Cc: Mike Belshe <mike@belshe.com>, Poul-Henning Kamp <phk@phk.freebsd.dk>, Roland Zink <roland@zinks.de>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On Mon, Nov 17, 2014 at 01:29:19PM -0500, Phillip Hallam-Baker wrote: > I think that the outcome will be as follows: > > 1) Mandate use of TLS with HTTP. > 2) Decide that using 'full TLS' is too much inconvenience. > 3) Browsers race to the bottom weakening the TLS security model to > meet the mandate > 4) Bad TLS drives out the good. > 5) Net reduction in security. Also do not forget the disruptive impact on transparent caches everywhere. Mobile phone operators are currently applying caches to "enhance your experience" (in fact reduce their BW costs), and doing so on HTTP only is still fine given that https-only traffic is minimal today. When they'll see their external bandwidth grow 10-fold they'll start to aggressively decipher HTTPS to cache HTTPS traffic as well. For them it's trivial, they just have to install their root CA into each smartphone they sell. And at this point none of the "secure" sites will be secure anymore at these places. I've long said that trying to put https everywhere is pointless until there's a reliable and clean method for letting trusted proxies access the clear text (the famous "GET https://" we've been talking about for years). Until this happens, people will have to keep in mind that the internet is driven by economics, not by ideology. Willy
Received on Monday, 17 November 2014 19:06:49 UTC