W3C home > Mailing lists > Public > www-tag@w3.org > January 2015

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Paul Libbrecht <paul@hoplahup.net>
Date: Mon, 19 Jan 2015 23:23:44 +0100
Cc: Anne van Kesteren <annevk@annevk.nl>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, Mark Nottingham <mnot@mnot.net>, Henri Sivonen <hsivonen@hsivonen.fi>, Chris Palmer <palmer@google.com>, Noah Mendelsohn <nrm@arcanedomain.com>, "Michael[tm] Smith" <mike@w3.org>, Tim Berners-Lee <timbl@w3.org>, Public TAG List <www-tag@w3.org>
Message-Id: <4DC50656-27F3-4A69-9DB9-158E085C3B07@hoplahup.net>
To: Julian Reschke <julian.reschke@gmx.de>
>> Please stop saying we are steadily under attack. We are not.
> My understanding is that yes, indeed, we are: <http://www.theguardian.com/uk/2013/jun/21/gchq-cables-secret-world-communications-nsa>

I'm afraid that our current efforts is not going to stop these efforts…
Also, many people seem to accept that governments' listening is not as much of an attack bothering as hackers' listening.

>> And in many many many cases in common use on the web, we do not care if
>> we would be.
> 
> Yes, in many cases. In many other cases, we however do.
> I'm also not a fan of the "everything must be encrypted *and* authenticated" approach, when "encrypt as much as you can" would solve many of these problems as well, without introducing these other problems we've been discussing here. But pretending that there is no problem that needs to be solved doesn't help either.

I hope I was not expressing this.
What I ways expressing is that the choice should be possible.
Currently, choosing self-signed-certs is deadly for uninformed users to see your website. It is not a choice.

paul
Received on Monday, 19 January 2015 22:24:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:09 UTC