Re: IAB Statement on Internet Confidentiality

The problem I have with TLS everywhere is reflected by this part:

We believe that each of these changes will help restore the trust users
> must have in the Internet
>


It is a false promise that by encrypting all our application layer
protocols that we will suddenly provide adequate security for internet
users.
It is simply not the case that encryption provides a sufficient protection
of a users "private information" to achieve any significant increase in
trust.

Protocol encryption does not protect any meta data.   Observation of
encrypted traffic can still be used to work out when, where, to who of your
internet usage.   By simple correlation of sizes and timing, very good
predictions of what you have read to who you have communicated to on the
other side of the server.

I think that pretending that TLS is a panacea that will somehow make the
public internet a safe private network is just wasting effort that would be
better spent really trying to fix the problem.      Making the problem of
privacy on a public network the problem of every protocol designer is
hoping for some kind of emergent behaviour that is just not going to happen.

There are still people today hoping on flights to Nigeria with all their
life savings in their suitcase, hoping to help some dude they only met via
email import export millions of dollars.    Adverts based on my search
terms still pop up on other related computers,  thus revealing to my wife
what birthday present I'm searching for. Oppressive regimes still know
which websites you visit even if you use https.  Encrypting  is not going
to help with any of these problems and they are the kinds of problems that
need to be fixed if you want people to trust the internet.

regards








-- 
Greg Wilkins <gregw@intalio.com>  @  Webtide - *an Intalio subsidiary*
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com  advice and support for jetty and cometd.