Re: Fwd (TAG): Draft finding - "Transitioning the Web to HTTPS"

Mark Nottingham wrote:
> 
> What I find interesting is that by the numbers I’ve seen and talked
> to people about in the industry, the vast majority of people *don’t*
> use a proxy cache; that said, what we all seem to be concerned about
> are those specific cases where they are used, and they really help.
>

Or, don't *think* they use a proxy cache. Most industry insiders will
say conneg is irrelevant, while using conneg to implement compression,
so I have low confidence that they're aware of various devices between
themselves and the websites they access.

I'm about to post this link in another response...

http://www.cs.washington.edu/research/security/web-tripwire/nsdi-2008.pdf

...but it's interesting to note that aside from squid, there's no
overlap between that document's list of intermediaries, and one we came
up with on rest-discuss a few years back. They're called "transparent"
proxies for a reason, even if they don't cache, and HTTPS threatens
that entire ecosystem.

> 
> > 3) We had an interesting offline discussion at the privacy workshop
> > on “imagine if every router on the internet did NAT”.  This means
> > that the ability to trace people by IP address would be curtailed:
> > people often don’t both to reduce fingerprinting because the source
> > IP address has already ‘given the game away'. It’s an interesting
> > thought experiment, but its impact on security might be negative.
> > (And there are many other problems, notably pper-peer connections
> > for things like telephony.)
> > 
> > Maybe worth a paragraph?
> 
> Once one scratches the surface, you can find a multitude of security
> and privacy issues on the Web and Internet. While they’re important
> issues to consider, I’m striving to NOT make this finding the
> be-all-and-end-all of security and privacy, because it will make it
> that much difficult to agree upon, read, and understand. Small
> steps...
> 

Provided those steps are going in the right direction, vs. painting the
Web into a corner.

FWIW, my NAT gives me away due to timezone and clock skew. Those two
data points equate to like, 1 in 500. Orthogonal, but add Opera and
1600x1200 resolution, and four data points nail me right down. Being a
modern dinosaur really makes me stick out...

While I can appreciate the desire for TAG to crank out a producible, I
have issues with anointing TLS when it doesn't address the root problem
of page integrity, while doing away with caching I may very well need
even more, if Net Neut goes the way of the Dodo.

-Eric

Received on Saturday, 20 December 2014 06:53:38 UTC