- From: Greg Wilkins <gregw@intalio.com>
- Date: Thu, 20 Nov 2014 17:45:35 +1100
- To: Tim Bray <tbray@textuality.com>
- Cc: Mark Nottingham <mnot@mnot.net>, HTTP <ietf-http-wg@w3.org>
- Message-ID: <CAH_y2NE_nUPJn8i=jZtmpJcVLKkBdSGeQrJx2sU5nHApL20ppg@mail.gmail.com>
On 20 November 2014 15:24, Tim Bray <tbray@textuality.com> wrote: > >> Encrypting is not going to help with any of these problems >> >> > > Yes, it will *help*. No, it will not *solve* them, and solving them is > important, but providing help now is a good thing to do. Every layer of > privacy technology drives attacker costs up and makes certain attacks > non-economic. I for one am not willing to put improvements on hold for > years while we strive for the perfect at the expense of the good. > Tim, if the problem is to make users regain trust that their private data is safe, then anything that *not solves* the problem while trying to appear to actually makes the trust problem worse. So I'm totally fine with saying "Use TLS because it will protect you from revealing your passwords, bank accounts, and other data you send to anybody but the server (who we assume you trust with all that stuff)". I'm not fine with saying "Use TLS because it will protect your privacy when using the internet". To be blunt, many if not most privacy concerns come from either end of the connection: either somebody sending you a convincing Phish or the server does something they should have with your data. Many of the man in the middle privacy attacks work on just meta data. So by all means, let's use encryption and encourage its use. But let's not pretend it provides anything more than encryption - which is neither privacy nor trust. cheers -- Greg Wilkins <gregw@intalio.com> @ Webtide - *an Intalio subsidiary* http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales http://www.webtide.com advice and support for jetty and cometd.
Received on Thursday, 20 November 2014 06:46:03 UTC