HTTP/2 - Unintended consequences of pseudo-mandatory TLS

Dear all,

Whilst I'm not certain that this is the right forum to address browser
support for h2c / non-TLS HTTP/2, I'd like to state my concerns over the de
facto requirement for TLS.

Whilst the aims of the "SSL everywhere" movement seem reasonable, I'm
unconvinced. I'm concerned that in practice, it will make the web less
secure whilst creating the illusion of security.

In many parts of the western world, bandwidth exists in sufficient
quantities for local caching to be overlooked as concern, but it certainly
isn't universal - indeed, reliable connectivity is an issue in some
locations, and a caching proxy is an appealing solution.

TLS proxies already exist that can be used to mitigate this, provided
someone is willing to install a root CA to accept re-signed content. Some
corporate desktops do this as part of a standard build. Forcing TLS on web
users will encourage this practice.

There will also be cases where in lieu of installing a root CA, users will
become accustomed to accepting self-signed or suspicious certificates,
potentially to a level where it becomes automatic even for sites that
really shouldn't have this issue.

There's a psychological impact to churning out the message that "this site
is secure" - it predisposes users to think that if they can see a secure
padlock/green tick/whatever then they don't need to concern themselves with
what information they're sharing, and why - legitimate sites can be hacked,
less reputable ones can get SSL certificates, and if there isn't at least
one intelligence agency or organised crime cartel that has a copy of a real
root CA cert, then I'm a teapot.
Regards,

Phil Lello

Received on Sunday, 13 March 2016 20:18:23 UTC