- From: Willy Tarreau <w@1wt.eu>
- Date: Thu, 3 Dec 2015 20:06:49 +0100
- To: Robert Collins <robertc@robertcollins.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>, Cory Benfield <cory@lukasa.co.uk>, Jacob Appelbaum <jacob@appelbaum.net>, Mike Belshe <mike@belshe.com>, Poul-Henning Kamp <phk@phk.freebsd.dk>, Amos Jeffries <squid3@treenet.co.nz>
On Fri, Dec 04, 2015 at 07:32:39AM +1300, Robert Collins wrote: > On 4 December 2015 at 07:05, Willy Tarreau <w@1wt.eu> wrote: > > If you're pushing > > for more TLS, you're just pushing for more surveillance. That's a fact > > and it has been proven by this news article. The push for TLS everywhere > > has at least broken all Khazak's privacy. > > The government mandated visible inspection of traffic that they can't > otherwise see *because* we've improved the baseline. That's exactly what we've been warning against for years. And not that it's not "they cant' otherwise see" but "they're targetting the easiest and cheapest way". In France if you want to see people's communications, you first declare them terrorist and then you confiscate their PC, you claim the data are encrypted, you ask for the key and if they refuse or try to explain that there's no encryption, you put them in jail until they change their mind (or they try to invent whatever they can if there was really no encryption). And people applaud because one more terrorist got arrested. I'm pretty sure it's the same in many other countries which don't spend money cracking all SSL communications. > It makes the > intrusion visible but it in now way changes the privacy that users in > Khazakhstan experience: their plaintext traffic is certainly already > compromised all the time. Did it ever come to your mind that it was possible that these people didn't care a dime about their clear text traffic being seen by their government, neighbors, coworkers, ISPs and whatever ? Most people nowadays fear the *endpoint*. The big company on the other side knowing everything about your life and suggesting when you should take your bus before you even thought you could take a bus. You know, when you perform a google search and you see a very small and discrete icon on the top right showing your name and you say "ah shit, I just fed their base again", time to log out. > > I predict that in less than 10 years we'll all be using point-to-point > > TLS because everyone will legally crack it along the way. What a great > > internet it will be! It used to be limited for *certain* activities > > only, making it uninteresting to crack most of the time. > > So when we make it infeasible to crack in a stealth fashion, How do you as a user make the difference between the end point and the MITM when technically they are the same devices implementing the same protocols and the same keys ? > As for whether the bulk of internet users want privacy: I haven't met > a single non-internet-technicalities-savvy person who didn't express > immense surprise at the idea that their normal browsing would be > visible to *anyone* other than the site they were browsing on. That's exactly why some of us have said that education is more important than false security. I've heard the media tell people for years that without the small lock on their browser, everyone could sniff their exchanges. But ISPs have been selling WiFi routers with default configs and cleartext setups without telling anything. Then they have claimed that WPA was secure. Etc. People trust what we tell them. Let's be clear about the real risks and the real solutions. > I will happily admit that savvy users can choose to make a tradeoff, > but non-savvy users take time to become savvy, and we've 7 billion > people's needs to balance out. Is it less harmful to: > > - expose everything and then opt into security once you've learnt > enough about the architecture of the internet to understand whats > going on How are the weather forecast or traffic jams considered "exposed" when they're delivered for the widest possible public consumption ? > - protect everything and then opt into publicity once you've learn > enough about the arch... Except that by protecting everything you immediately trigger the "unprotect everything" weapon in the other camp. It used to be the exact same with company proxies. Most companies just want to have web-based anti-virus not to have to reinstall their PCs all the time. They don't care about what you're doing on the net because they made you sign a chart where you accept the responsibilities for your actions. It used to work pretty well, anti-virus software was able to analyse blogs and whatever. The few tens to hundreds of sites requiring SSL were just whitelisted after being validated by the admin as looking like "serious sites". With TLS everywhere, these companies are forced to act as an MITM to still enforce their anti-virus. Is it a problem for them ? Absolutely not. Are the users at risk ? Absolutely. Because of this, dumb admins which didn't have access to the encrypted traffic at all now can see it in logs and sometimes even contents. They can snarf it just for fun on a boring day. But doing this on certain commnications is a really bad thing. And this was made possible by blind excess of security. Why do you think laws can pass to mandate decryption ? That's simple, people don't fight because they don't care for their contents! But you forced them to accept their few sensitive communications to be decrypted in the process. They probably don't feel happy but they'll trust their governments not to act badly because most of them consider they have nothing to hide. In France we had "hadopi" years ago, it mandated that ISPs sniff traffic and report certain activities. Did people go down in the streets because of this ? certainly not. If next year the government provides a national certificate to decrypt everything and enforces it on ISPs, just like last time, they will complain about the deployment cost but that will be the only real reaction. > The principle of least surprise suggests that protecting everything > and opting into publicity is better. In theory I absolutely agree, except that you're not protecting against random things but living beings which are smart and react to your actions. That completely changes things. When you build protections against earthquakes it's nice because the earth doesn't try to attack you. Doing this against people who have many ways to get your data is just a way to ensure their will use the next level of weapon to reach their goal. Sometimes it's fun to feel stronger than the rest of the world, but it can also come with great desillusions... Willy
Received on Thursday, 3 December 2015 19:07:34 UTC