Re: Preparing to Publish HTTPS Finding from Chris Palmer on 2015-01-05 (www-tag@w3.org from January 2015)

From: Chris Palmer <palmer@google.com>
Date: Mon, 5 Jan 2015 12:22:06 -0800
To: Marc Fawzi <marc.fawzi@gmail.com>
Cc: "Eric J. Bowman" <eric@bisonsystems.net>, Domenic Denicola <d@domenic.me>, Daniel Appelquist <appelquist@gmail.com>, TAG List <www-tag@w3.org>, Ian Jacobs <ij@w3.org>
Message-ID: <CAOuvq22uLSaoHVDvgqOnPYVt7c1KjQCVKWRcU39eQ9xxdkAwcg@mail.gmail.com>

On Sun, Jan 4, 2015 at 3:38 PM, Marc Fawzi <marc.fawzi@gmail.com> wrote:

> I don't think anyone has asked Why Now?
>
> Is it because the NSA made the entire Internet security infrastructure look
> like swiss cheese? I can't think of any other circumstantial reason as to
> why this is being pushed now... Why not two years ago? We had the same
> problems with http back then. Why now?

It's not just now. I and everyone I have worked with has been pushing
for HTTPS and related security technologies for over a decade or more.

> If it is indeed the Snowden revelations and the growing fear of surveillance
> on people's mind that has prompted this response on the part of the EFF,

When I was at EFF, starting in 2003 — well before the Snowden
revelations — we were pushing for it. If you know anything about EFF
at all, you know they've been working for encryption and privacy since
the 1990s.

> TAG/W3C and other "concerned" parties then moving to https won't put a
> insurmountable obstacle to any government spying on its people and people
> everywhere but it will definitely fool the not so savvy masses into a false
> sense of security, believing that https means real privacy.

It's true that HTTPS/TLS/something equivalent is necessary but not sufficient.

But it is necessary. Secure transport is the basis on which more
sophisticated defenses for distributed applications are built.

> If there was real motivation to improve security on the web/Internet this
> discussion would be much bigger and much wider and would include all kinds
> of research efforts from academia and industry and not be so narrow minded.

You should read more widely. The effort has indeed included all kinds
of research, engineering, and advocacy from academia, industry, and
others. For at least 20 years. Here are some keywords you can search
the web for to find interesting, far-reaching, and long-running work:

* Freedom To Tinker
* HTTPS Everywhere
* Citizen Lab
* CurveCP
* DNSCurve
* DNSSEC
* OWASP
* Off The Record Messaging
* ...

Received on Monday, 5 January 2015 20:22:32 UTC