Re: Google warns of unauthorized TLS certificates trusted by almost all OSes

I don't think it's lack of English skillz on my part (couldn't care less)
as much as it is my opinion how I'm delivering it.

Remember style and context are not separate things except in the mind of
those who can't sense the brewing risk to our survival and well being as a
society. If the house is on fire, I'm not going to say that in an
intellectual manner, e.g.: There seems to be a sudden rise in temperature
within that housing structure. I'm going to say something like: the damn
house is on fire! get out while you can! But if somebody discovers a
solution to an obscure problem in theoretical physics, you can bet that
I'll opine on it intellectually.

But I can't stand by, pontificating and arguing from a purely intellectual
place, while the Web architects itself out of relevance, long term, by
adopting shoot-me-in-the-foot ideas, and while so many terrible decisions
are being made.

I mean, like you Eric, I could say that i no longer care about the Web and
the real innovation will always win over lameness.

What English skills?








On Tue, Mar 24, 2015 at 9:21 PM, Eric J. Bowman <eric@bisonsystems.net>
wrote:

> Tim Bray wrote:
> >
> > What Daniel said.  Also, see
> > https://www.tbray.org/ongoing/When/201x/2014/07/28/Privacy-Economics
> >
>
> "There are people out there who want more: They’re not sure HTTPS is
> good enough (it is)."
>
> Is it? For example, how does TLS overcome violations of the
> Identification of Resources REST constraint?
>
> https://www.google.com/search?q=healthcare.gov+privacy+breach
>
> That issue is why I chafe every time someone says HTTPS is in my best
> interests in terms of privacy. I simply know better, as a long-time
> REST advocate, that this sort of implementation is the rule -- not the
> rare RESTful exception.
>
> No amount of slapping encryption on this problem in the name of privacy,
> does anything for user privacy. The risk in advocating ubiquitous HTTPS
> is it deceives end-users into believing their data is private. When "we"
> should know better, because architecture, where putting confidential
> information into URLs has long been the norm.
>
> I don't see how HTTPS helps. But I'd love the argument to be framed as,
> is this still better than nothing? And honestly discussed. Perhaps on
> Twitter, if TAG just doesn't want to discuss this on www-tag, for
> whatever reason (convenience springs to mind).
>
> Advocate the Identification of Resources constraint, first. Because
> that at least would get us to a starting point, to talk about using
> HTTPS for privacy. But, with the bulk of the Web putting confidential
> data in URLs, it seems foolish to me to ignore that and say "just use
> HTTPS and you'll magically have privacy". Despite any TLS shortcomings.
>
> Insane.
>
> Or just change the rules, in an effort to make me go away for bringing
> up inconvenient, yet perfectly relevant, arguments. Or just don't
> engage, or call me ignorant, or whatever, then you can just dismiss my
> position when y'all get upset that I just won't let it drop, by
> changing the listmail rules because I do get a little upset when not
> taken seriously by my peers.
>
> My experience here, recently, reminds me of that guy in Florida who
> dared to say "climate change" and got sacked pending psychological
> evaluation. Maybe I need just that, to continue posting here; because
> my position is so much at odds with TAG's that I must, by definition,
> be crazy.
>
> Or at least that's the perception some of us have of the new rules for
> the www-tag list.
>
> -Eric
>

Received on Wednesday, 25 March 2015 12:26:34 UTC