- From: Piotr Galecki <piotr_galecki@affirmednetworks.com>
- Date: Thu, 3 Dec 2015 23:33:55 +0000
- To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, Alex Rousskov <rousskov@measurement-factory.com>
- CC: Robert Collins <robertc@robertcollins.net>
> "It could be this WG job to design protocols and deployment recommendations that > make monitoring easy to integrate, discover, and either consent to or reject." +1 There are multiple use cases where a trusted intercepting proxy could come to play. To name a few: - monitoring of criminal activity by authorities - preventing leakage of secure information by rogue employees - filtering of malware and phishing sites - optimizing user data for delivery over congested radio network Piotr -----Original Message----- From: Willy Tarreau [mailto:w@1wt.eu] Sent: Thursday, December 03, 2015 6:17 PM To: Alex Rousskov <rousskov@measurement-factory.com> Cc: HTTP Working Group <ietf-http-wg@w3.org>; Robert Collins <robertc@robertcollins.net> Subject: Re: SSL/TLS everywhere fail On Thu, Dec 03, 2015 at 03:26:37PM -0700, Alex Rousskov wrote: > On 12/03/2015 11:32 AM, Robert Collins wrote: > > > I haven't met > > a single non-internet-technicalities-savvy person who didn't express > > immense surprise at the idea that their normal browsing would be > > visible to *anyone* other than the site they were browsing on. > > I have met many technically-illiterate folks who assume their > impersonal communications are monitored by their government. If given > the choice of no internet or monitored internet, I bet many would pick > the latter (and would express immense surprise that they are being > asked a question with such an obvious [to them] answer!). Confirmed, I used to be one of those. For 12 years I've been using Yahoo Mail to read my e-mails at customers' because it was the only one allowing me to access my mail in clear, hence not being blocked by corporate proxies. Oh and Yahoo's login box warned me about the insecure aspect of this connection so I did it on purpose! I only had to tell people not to send me sensitive information on this address since I knew that potentially anyone could access it as well. And I've been a happy user for all this time. A few whiners used to make fun of me while complaining that they didn't have e-mail access from the same places. Indeed it was the only one that would pass since it was the only one that the anti-virus could analyze. It's simply that different people have different priorities. Mine were to have this access. Others probably had much more sensitive information to exchange and couldn't afford a free unsecured webmail account. > It is not this WG job to decide whether the Kazakh government (or the > example.com employer or a concerned parent) has the right to monitor > communication of their citizens (or employees or kids). It could be > this WG job to design protocols and deployment recommendations that > make monitoring easy to integrate, discover, and either consent to or reject. > > Doing so would save a lot of energy for such useful things as > educating folks about surveillance trade-offs so that their consent > (or lack of > thereof) becomes more informed. +1 Willy
Received on Thursday, 3 December 2015 23:34:44 UTC