- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Sat, 05 Dec 2015 00:20:45 +0000
- To: Jacob Appelbaum <jacob@appelbaum.net>
- cc: Mike Belshe <mike@belshe.com>, Amos Jeffries <squid3@treenet.co.nz>, httpbis mailing list <ietf-http-wg@w3.org>
-------- In message <CAFggDF2L1==CBMjrTxwsLYxNYaXjUReKOnqGGLc6VNokpZwNEQ@mail.gmail.com> , Jacob Appelbaum writes: >> But SSL/TLS is just about the worst encryption you can bring to >> that fight, because it is *so* trivial and routine to MiTM that you >> can find the list-price for the necessary equipment on Google. > >This is where we diverge, I suspect. None of that equipment is going >to work against PayPal or Google or even Tor Project's website when a >user uses a modern browser as those sites are TLS with cert pinning. You're right. PayPal, Google and the Tor Project will probably just stop working in Kazakstan, and either they decide to follow the duly enacted and valid laws of that country, or they will not be doing business there. For Kazakstan they *might* be able to shrug, although the track-record indicates that the first two tend to follow local laws. I have no idea what the Tor project will do, but fortunately the human rights activists I know about has a fallback. But have you followed the political discourse in UK recently ? Will PayPal, Google and the Tor Project be able to shrug it off when the UK government makes a similar move ? >While many sites can be attacked - it requires a specific on-path >attacker with access to specific high cost cryptographic resources. Dude, it's not high cost. Kazakstan probably didn't even pay a million dollars for their kit. >> Deploy *that* with good key-management tools[1] and the politicians >> will face the much more impalatable choice of "Block or Pass". > >We can't choose a single tactic [...] That response is a little bit ironic, coming from one of the loudest "TLS everywhere" advocates... -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Saturday, 5 December 2015 00:21:12 UTC