Re: IAB Statement on Internet Confidentiality

On 17/11/2014 19:06, "Willy Tarreau" <w@1wt.eu> wrote:
>Also do not forget the disruptive impact on transparent caches
>everywhere. Mobile phone operators are currently applying caches
>to "enhance your experience" (in fact reduce their BW costs), and
>doing so on HTTP only is still fine given that https-only traffic
>is minimal today. When they'll see their external bandwidth grow
>10-fold they'll start to aggressively decipher HTTPS to cache HTTPS
>traffic as well. For them it's trivial, they just have to install
>their root CA into each smartphone they sell. And at this point
>none of the "secure" sites will be secure anymore at these places.
>
>I've long said that trying to put https everywhere is pointless
>until there's a reliable and clean method for letting trusted
>proxies access the clear text (the famous "GET https://" we've
>been talking about for years). Until this happens, people will
>have to keep in mind that the internet is driven by economics,
>not by ideology.

+1

While open to interpretation, I suspect that most will agree that there is
an actual economy associated with congestion management.  It appears to
make sense to have us (IETF) consider the network actor besides the
browser and server as an integral part of the e2e framework.  If we don't,
then I am afraid that we'll keep on designing protocols for a detached
reality.

However, I read the last paragraph of the IAB "statement on Internet
Confidentiality" with a grain of optimism: "[...] IAB will work with those
affected to foster development of new approaches for these activities
which allow us to move to an Internet where traffic is confidential by
default."

Are these "new approaches" a signal of the actual availability of the IAB
to re-think the security building blocks of the Internet?  I do hope so.

Received on Tuesday, 18 November 2014 14:06:46 UTC