Re: Preparing to Publish HTTPS Finding

Eric J. Bowman wrote:
>
> Domenic Denicola wrote:
>
> >
> > Deploying HTTPS has no liability implications anymore than deploying
> > HTTP does.
> >
> 
> My attorney disagrees, if my purpose in deploying HTTPS is privacy I
> can't guarantee by deploying HTTPS.
> 

Sorry, that was a bit glib. To elaborate, my attorney doesn't grok this
stuff, so I put it to him as a metaphor:

It's perfectly legal for me to open a bar in Washington, D.C. catering
to the political class. My customers won't come if anyone can monitor
their comings and goings by surveilling the front door. So I dig a
tunnel, and tell everyone that this is the "private" entrance.

If someone manages to surveil my tunnel, whose fault is that? If not
mine, aren't I still liable, even with a disclaimer -- if I knowingly
offer a service I know I can't guarantee?

The difference with my bank account, is access to the remote end of the
tunnel requires a password. If I require that for my bar, I'm limiting
privacy to repeat customers, instead of disingenuously offering it to
the world at large.

I don't have a problem with that. I can allow more customers into my
bar via the front door than the tunnel. Then, instead of guaranteeing
privacy for all comers which I can't hope to deliver, I only need to
offer it to those who are willing to authenticate themselves to me.

My problem with implementing unauthenticated HTTPS, is my only reason
for doing so is ensuring the privacy of everyone, to which I can't help
but see a liability downside. My attorney also owns his own website,
and while he sympathizes with those who might like to believe that
nobody can monitor them viewing it, he also sees my point that this is
a foolish thing to even *appear* to offer, if it can't be guaranteed.

-Eric

Received on Friday, 9 January 2015 01:24:49 UTC