- From: Mark Nottingham <mnot@mnot.net>
- Date: Tue, 6 Jan 2015 15:14:05 -0500
- To: Chris Palmer <palmer@google.com>
- Cc: Tim Berners-Lee <timbl@w3.org>, Henri Sivonen <hsivonen@hsivonen.fi>, Public TAG List <www-tag@w3.org>
Side note — This is already done on a wide scale, but without the friendly note about the side effects; search for “install a CA certificate” and similar, and you’ll find that many, many corporations and educational institutions give such instructions without explaining the security tradeoff. The browser/OS trust stores need to do a better job of informing users of the power given to someone when a new CA is installed, at the very least. I’d personally prefer it if there were also obvious (or even default) means of limiting the power of new trust roots. Cheers, > On 5 Jan 2015, at 1:56 pm, Chris Palmer <palmer@google.com> wrote: > > On Mon, Jan 5, 2015 at 3:04 AM, Tim Berners-Lee <timbl@w3.org> wrote: > >> As it happens I just talked to someone who runs a small remote island with >> about 400 people. >> I didn't ask but he brought it up of his own accord, that with everyone on >> wifi and a (17Mb/s ?17MB/s ? he wasn't sure) link supporting everyone, he >> had been recommended and was planning to install a commercial island-wide >> web proxy cache product, as he felt a lot of people watched the same movies. > > In this specific case, I don't see a problem. He can say, on a web > page at https://small-island.org or in an email, > > """ > Hello, my fellow Small Islanders. So, as you know, we have a > low-bandwidth link, and YouTube is getting slower now that our > transparent cacheing proxy doesn't work as much. So, I'm going to > install a non-transparent proxy that can proxy even the secure > connections to sites like YouTube. > > In order for this to work, you'll have to explicitly set your browser > to use my proxy, and you'll have to add its security certificate to > your computer. The up-side of this is that you can get faster YouTube; > the down-side of this is that you have to trust me not to spy on you. > > You might also like to install the proxy in 1 account or profile to > get the speed benefits, and not install it in another account or > profile to stay private. You could have a video profile and an email > and banking profile, for example. If there's enough interest in that, > I'll write up a tutorial. > > To make it easier to install the proxy, I've written a small .BAT file > that automates setting the proxy and trusting the certificate. You can > get it at https://small-island.org/install-proxy.bat. > > Let me know if you have any questions! Thanks, > --- Al, your Small Island tech support friend > """ > > Obviously, the .BAT file should be distributed by secure means only. :) > > People can make a choice. It will require Al to write or find a > script. A community of 400 people is small enough for this to be > manageable. > > I'm approaching this problem in a utilitarian way: we need to make the > web as safe as we can as often as we can for as many of the billions > of people in the world as we can. If 400 people have to consider > running a shell script so that being safer can be easier for the other > billions, that's an easy trade-off to make and this edge case should > not loom large in our minds. > -- Mark Nottingham http://www.mnot.net/
Received on Tuesday, 6 January 2015 20:14:31 UTC