W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: 2 questions

From: Dan Anderson <dan-anderson@cox.net>
Date: Mon, 30 Mar 2015 15:33:49 -0500
Message-ID: <CAN5uf-Sxe4RWLb71-vWZvm0TVYMENK=4B+Awfz4c5NUAOEesaQ@mail.gmail.com>
To: "Walter H." <Walter.H@mathemainzel.info>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
>think of someone or company uses Internet for e-commerce; e.g. presenting
his products is public for anybody; this doesn't need to be presented in
TLS,

Is this still a valid assumption?

I might not particularly, initially, care about confidentiality.  But I
think I would still care about the integrity benefits (Am I talking to the
site I think I am talking to?, is there a man in the middle?, etc.)

I can't think of a case where I would not want this assurance.
And I can think of all sort of nefarious things to do to others when they
don't have this assurance.

So I am disappointed that we are not taking the opportunity to fix this.

Dan

On Mon, Mar 30, 2015 at 2:32 PM, Walter H. <Walter.H@mathemainzel.info>
wrote:

> On 30.03.2015 02:50, Mike Bishop wrote:
>
>> You're skipping the discussion about why price of the cert is not the
>> cost of running TLS.  There's admin overhead in renewing the cert for each
>> domain, there's network infrastructure overhead in providing each domain a
>> unique IP address (because you can't guarantee every client supports SNI,
>> much as we'd like to), and that additional network infrastructure cost
>> means hosting becomes more expensive.
>>
> that a server needs more cpu, memory and more other resources when sending
> content using TLS in comparison to just send them plain, this is true;
> also it is true, that you need someone who renews the certs; also that you
> need a unique IP address; but it is not impossible doing so, the available
> resources would be enough;
> even IP addresses;
> let me explain a little example at the end, why you are right and more
> wrong at the same time;
>
>  But fundamentally, the argument was that if HTTP/2 needed to cover the
>> same scenarios as HTTP/1.1,
>>
> not really; or do you really think there is the need of something new that
> is the same as the old?
>
> here the example:
>
> think of someone or company uses Internet for e-commerce; e.g. presenting
> his products is public for anybody; this doesn't need to be presented in
> TLS,
> but when someone enters data to order the products, this must be done
> using TLS;
> compareable to a bank; the presentation of all products of the bank - e.g.
> interest rates, common terms and conditions, ... - can be presented
> for the public without the need of TLS, but the service of electronic
> banking must only be with TLS;
>
> now think of the "next step", the website shows advertising for what the
> company gets money, that reduces the hosting costs;
> this can be done in 2 ways: using a 3rd party, this is less efficient,
> compare it to a folder together with a newspaper;
> or without, the most efficient way, compare it to a newspaper that has
> printed the advertisings anywhere between
> the news and other informations;
>
> now think of the people that do not want see the advertisings; with the
> newspaper it is easy to bring them showing on the advertisings,
> just print them anywhere between the news; an enclosed folder with
> advertisings can be thrown away without being really noticed;
>
> a little analogy: a user can easily block 3rd party advertisings by
> blocking just these domains; for this it would not make any difference if
> it is sent plain or encrypted using TLS,
> because this blockings are domain/host specific;
> if the advertisings are done without 3rd party, then a user might block
> specifics URLs - this and the above steps can be done centrally at a proxy
> server;
> but when the whole is only sent encrypted using TLS, anybody can only stop
> the advertisings from being loaded by himself/herself without breaking the
> end-to-end encryption; a proxy server doesn't help to prevent this, except
> it does man-in-the-middle;
>
> so now the question for you: do you really think, TLS costs you so much
> more that any way of reducing the whole hosting costs isn't it worth of
> doing TLS?
>
> by the way:
> can you please read this:
> https://datatracker.ietf.org/doc/draft-hoehlhubmer-https-addon/
> I want this to be a RFC
>
> Thanks,
> Walter
>
>
>
Received on Monday, 30 March 2015 20:34:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:43 UTC