davidbgk
/
larlet-fr-david-cache
Watch 1
Star 0
Fork 0
Code Releases 0 Activity
A place to cache linked articles (think custom and personal wayback machine)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
42 Commits
1 Branch
Tree: 2e4d51a7b7
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '2e4d51a7b7'
${ noResults }
larlet-fr-david-cache/cache/05736d9775fba3be938ebd24c97.../index.md

index.md 3.6KB
Raw Normal View History

Add cache data
4 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354 
  1. title: Re: Proposed Statement on "HTTPS everywhere for the IETF"

  2. url: http://www.ietf.org/mail-archive/web/ietf/current/msg93416.html

  3. hash_url: 05736d9775fba3be938ebd24c978ac6c

  4. 

  5. > On Jun 4, 2015, at 9:53 AM, Joe Hildebrand wrote:

  6. >

  7. >> On 4 Jun 2015, at 9:37, Tony Hain wrote:

  8. >>

  9. >> My overall concern here is that statements like this undermine the integrity of the organization. I understand people wanting to improve overall privacy, but this step does not do that in any meaningful way.

  10. >

  11. > Encrypting the channel does provide some small amount of privacy for the *request*, which is not public information.  Browser capabilities, cookies, etc. benefit from not being easily-correlated with other information.

  12. 

  13. That is message confidentiality, not privacy.  Almost all of the privacy bits (as in, which

  14. person is doing what and where) are revealed outside of the message.

  15. 

  16. > It would be interesting to define an HTTP header of "Padding" into which the client would put some random noise to pad the request to a well-known size, in order to make traffic analysis of the request slightly more difficult.  This is the sort of thing that comes up when we talk about doing more encryption for the IETF's data, which shows the IESG's suggested approach to be completely rational.

  17. 

  18. Browsers don't send singular messages containing anonymous information.  They send a complex

  19. sequence of messages to multiple parties with an interaction pattern and communication state.

  20. The more complex and encrypted the communication, the more uncommon state and direct

  21. communication is required, which makes it easier to track a person across multiple requests

  22. until the user's identity is revealed.  Furthermore, with TLS in place, it becomes easy and

  23. commonplace to send stored authentication credentials in those requests, without visibility,

  24. and without the ability to easily reset those credentials (unlike in-the-clear cookies).

  25. 

  26. Padding has very little effect.  It isn't just the message sizes that change -- it is all

  27. of the behavior that changes, and all of the references to that behavior in subsequent

  28. requests, and the effects of those changes on both the server and the client.

  29. 

  30. TLS does not provide privacy.  What it does is disable anonymous access to ensure authority.

  31. It changes access patterns away from decentralized caching to more centralized authority control.

  32. That is the opposite of privacy.  TLS is desirable for access to account-based services wherein

  33. anonymity is not a concern (and usually not even allowed).  TLS is NOT desirable for access to

  34. public information, except in that it provides an ephemeral form of message integrity that is

  35. a weak replacement for content integrity.

  36. 

  37. If the IETF wants to improve privacy, it should work on protocols that provide anonymous

  38. access to signed artifacts (authentication of the content, not the connection) that is

  39. independent of the user's access mechanism.

  40. 

  41. I have no objection to the IESG proposal to provide information *also* via https.  It would

  42. be better to provide content signatures and encourage mirroring, just to be a good example,

  43. but I don't expect eggs to show up before chickens.  However, I agree with Tony's assessment:

  44. most of the text is nothing more than a pompous political statement, much like the sham of

  45. "consensus" that was contrived at the Vancouver IETF.

  46. 

  47. TLS everywhere is great for large companies with a financial stake in Internet centralization.

  48. It is even better for those providing identity services and TLS-outsourcing via CDNs.

  49. It's a shame that the IETF has been abused in this way to promote a campaign that will

  50. effectively end anonymous access, under the guise of promoting privacy.

  51. 

  52. ....Roy

  53. 

  54. </pre>