- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Wed, 01 Apr 2015 17:45:18 +1300
- To: ietf-http-wg@w3.org
On 31/03/2015 2:00 p.m., Stephen Farrell wrote: > > > On 31/03/15 01:07, Adrien de Croy wrote: >> >> With MitM all bets are off > > Seems to me that claims of the prevalence of MitM are > somewhat exaggerated. The last study I recall of those > in the wild found about 0.41% of requests affected. [1] > > So I think any argument of the form "don't do X to try > be more secure or private, since the prevalence of MitM > implies X is pointless" ought be considered bogus at the > ~99.5% confidence level, at least according to [1]. You seem to be seeing different claims. I, Adrien, Willy, PHK have been stating that MITM exist already in TLS *and are increasing*. The research you point out supports that statement, they saw TLS MITM rates double within just last year. With growth of malware instances almost tripling. The call we are making is to avoid doing things which encourage that growth to increase any further. Some cases of your "X" are things which activly force ISP / CDN people to become MITM against their will. Those "improvements" are actively harming both privacy and security for everybody in the guise of improving only-security for only-some of Internet participants. "First, do no harm" comes to mind. Amos
Received on Wednesday, 1 April 2015 04:45:54 UTC