W3C home > Mailing lists > Public > www-tag@w3.org > January 2015

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 19 Jan 2015 23:35:12 +0100
Message-ID: <54BD86A0.1000905@gmx.de>
To: Paul Libbrecht <paul@hoplahup.net>
CC: Anne van Kesteren <annevk@annevk.nl>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, Mark Nottingham <mnot@mnot.net>, Henri Sivonen <hsivonen@hsivonen.fi>, Chris Palmer <palmer@google.com>, Noah Mendelsohn <nrm@arcanedomain.com>, "Michael[tm] Smith" <mike@w3.org>, Tim Berners-Lee <timbl@w3.org>, Public TAG List <www-tag@w3.org>
On 2015-01-19 23:23, Paul Libbrecht wrote:
>>> Please stop saying we are steadily under attack. We are not.
>> My understanding is that yes, indeed, we are: <http://www.theguardian.com/uk/2013/jun/21/gchq-cables-secret-world-communications-nsa>
> I'm afraid that our current efforts is not going to stop these efforts…

Making them more expensive is a step.

> Also, many people seem to accept that governments' listening is not as much of an attack bothering as hackers' listening.

The IETF clearly disagrees with that. See 

>>> And in many many many cases in common use on the web, we do not care if
>>> we would be.
>> Yes, in many cases. In many other cases, we however do.
>> I'm also not a fan of the "everything must be encrypted *and* authenticated" approach, when "encrypt as much as you can" would solve many of these problems as well, without introducing these other problems we've been discussing here. But pretending that there is no problem that needs to be solved doesn't help either.
> I hope I was not expressing this.
> What I ways expressing is that the choice should be possible.
> Currently, choosing self-signed-certs is deadly for uninformed users to see your website. It is not a choice.

+0.5. That's why we should push for more opportunistic security: 

Best regards, Julian
Received on Monday, 19 January 2015 22:35:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:09 UTC