Re: comprehensive TLS is not the solution, it's a bug ... (was 2 questions)

On Wed, Apr 01, 2015 at 02:58:31AM +0800, Maxthon Chan wrote:
> I mean TLS is mandatory and all communications happens over port 443. However
> without authentication any form of encryption is pointless, so the only
> difference between http and https here in my suggestion is whether the
> certificate is authenticated or not, but keeping TLS intact would allow other
> protocol features to be used, like NPN.

All of this has been discussed to death 2 years ago already and many cases
were provided about a number of situations where this would cause more harm
than good. IoT devices were one example where you don't want to spend CPU
cycles encrypting. Being able to use the existing infrastructure as it is
is another important aspect. Forcing everyone to mix secure and non-secure
traffic on the same port doesn't necessarily come without any security/
confidentiality impact. And in my personal opinion, encrypting without
authenticating just to let people *feel* they're safe is not a good idea,
though I know that many don't share my view on this. Quite frankly, when
you want an admin to switch his internal servers to TLS, there's no better
solution than providing him with a network capture showing all his activities
in clear text. Really.


Received on Tuesday, 31 March 2015 19:06:55 UTC