W3C home > Mailing lists > Public > www-tag@w3.org > January 2015

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Yves Lafon <ylafon@w3.org>
Date: Thu, 8 Jan 2015 15:22:16 -0500 (EST)
To: "Eric J. Bowman" <eric@bisonsystems.net>
cc: Martin Thomson <martin.thomson@gmail.com>, Tim Berners-Lee <timbl@w3.org>, Henri Sivonen <hsivonen@hsivonen.fi>, Public TAG List <www-tag@w3.org>
Message-ID: <alpine.DEB.2.00.1501081512490.1927@wnl.j3.bet>
On Tue, 6 Jan 2015, Eric J. Bowman wrote:

> Martin Thomson wrote:
>> Tim Berners-Lee wrote
>>> If the videos are all https: then he won't be able to cache them,
>>> except -- not to worry, the tools he buys will probably include
>>> MITM attack tools, so in fact he *will* be able to cache things
>>> after all.
>> I think that it's a little sad that this is the only response we have
>> to this situation.  Of course we can break the encryption.  It does
>> instantly restore function to our existing toolchain.
>> Or, we could apply ourselves to the problem and then maybe we can have
>> both security AND caching.
>> Jus' sayin'.
> +1
> My point entirely. Eliminating caching in the name of security,
> particularly if the result isn't secure, amounts to throwing the baby
> out with the bathwater. It's a cop-out by the very insitutions folks
> rely on to solve problems, not come up with cop-outs, regardless of how
> marketable such cop-outs are to the gullible.

It depends what "security" means here. Pervasive monitoring (aka 
sniffing), that should be resolved on a hop-by-hop encryption, or MiTM 
that requires end-to-end encryption.

Having both hop-by-hop and end-to-end  would have been nice, but as a word 
of caution, compression of payload body in HTTP could be done using 
Transfer-Encoding or Content-Encoding. Almost no UA implemented TE:, 
almost no servers implemented Transfer-Encoding apart from chunking. What 
is widely used is Content-Encoding, and not without bugs (like issues with 
ETag handling), so like for https, the end-to-end version wins as it is 
easier to deploy/debug/control.

And saying that the only solution for people with poor bandwidth is to get 
rid of their security is not really satisfying.

Baroula que barouleras, au tiéu toujou t'entourneras.

Received on Thursday, 8 January 2015 20:22:19 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:09 UTC