Wild Tangent about Crypto (was Re: CfC: only allow authenticated origins to call getUserMedia) from Adam Roach on 2014-10-08 (public-media-capture@w3.org from October 2014)

From: Adam Roach <adam@nostrum.com>
Date: Wed, 08 Oct 2014 17:31:45 -0500
To: Chris Palmer <palmer@google.com>, Eric Rescorla <ekr@rtfm.com>
CC: Anne van Kesteren <annevk@annevk.nl>, Justin Uberti <juberti@google.com>, Stefan Håkansson LK <stefan.lk.hakansson@ericsson.com>, "public-media-capture@w3.org" <public-media-capture@w3.org>
Message-ID: <5435BB51.4060006@nostrum.com>

On 10/8/14 16:45, Chris Palmer wrote:
> TL;DR: We don't have time, user attention, or space to communicate
> crypto nuance. Therefore we must quantize the security guarantee
> upward.

Sure. You're getting off onto the tangent of opportunistic encryption, 
rather than really talking about the gUM issue. I'll post one quick 
rebuttal here, and then I intend to let the issue alone on this list 
(since it's several steps removed from the media capture charter).

I think where you're misconstruing [1] what the proponents of 
opportunistic encryption [2] are proposing is that you're pretending 
that someone, somewhere has proposed that such connections should carry 
the full regalia of authenticated connections [3].

I don't believe anyone is seriously proposing that.

I believe I'm speaking in alignment with most or all of the proponents 
of opportunistic encryption when I say that the expectation is that the 
user-visible interface would render such connections as "insecure." They 
just *happen* to be impervious to passive attacks. The user doesn't need 
to know about this to benefit; and I think we're in agreement that 
telling them about such a nuanced situation is likely to lead them to 
act in ways that are counter to their interest.

The only real difference between deploying or not deploying 
opportunistic encryption is that deploying it makes things non-trivially 
better for users' privacy, even if they don't know about it.

/a

____
[1] I'm giving you the benefit of the doubt here that this is a simple 
misunderstanding rather than feigning ignorance, although the strawmen 
you're using have the unfortunate appearance of intentional caricatures 
rather than honest representations of the opposing position. Your 
pedigree implies that you might know better.

[2] And I do mean *encryption*, not some pseudo-crypto obfuscation as 
you imply -- do you really think that's what people are suggesting?

[3] e.g., A lock icon, maybe some green or blue splashed on the UI 
somewhere, additional information pulled from from the server cert, etc.

Received on Wednesday, 8 October 2014 22:32:21 UTC