Re: Draft finding - "Transitioning the Web to HTTPS"

Martin Thomson wrote:
> Tim Berners-Lee wrote
> > If the videos are all https: then he won't be able to cache them,
> > except -- not to worry, the tools he buys will probably include
> > MITM attack tools, so in fact he *will* be able to cache things
> > after all.
> I think that it's a little sad that this is the only response we have
> to this situation.  Of course we can break the encryption.  It does
> instantly restore function to our existing toolchain.
> Or, we could apply ourselves to the problem and then maybe we can have
> both security AND caching.
> Jus' sayin'.


My point entirely. Eliminating caching in the name of security,
particularly if the result isn't secure, amounts to throwing the baby
out with the bathwater. It's a cop-out by the very insitutions folks
rely on to solve problems, not come up with cop-outs, regardless of how
marketable such cop-outs are to the gullible.

An insecure basis for enhancing future security is an oxymoron, at best.
Ubiquitous HTTPS is being sold as "good enough for now, we'll fix it
later," which gives me the willies. Fixing it later may amount to one
helluva lot more work than getting started off on the right foot.


Received on Wednesday, 7 January 2015 05:55:08 UTC