[147997] in cryptography@c2.net mail archive
Re: [Cryptography] HTTP should be deprecated.
daemon@ATHENA.MIT.EDU (Eric Mill)
Mon Nov 4 14:31:55 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <5277D95B.8040404@stpeter.im>
From: Eric Mill <eric@konklone.com>
Date: Mon, 4 Nov 2013 14:01:15 -0500
To: Peter Saint-Andre <stpeter@stpeter.im>
Cc: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============4555790440125535671==
Content-Type: multipart/alternative; boundary=001a11c29702b843e004ea5e8c19
--001a11c29702b843e004ea5e8c19
Content-Type: text/plain; charset=ISO-8859-1
I'm very pro-HTTPS for as many places as possible, switched to use it on my
own site, and documented how to do
it<https://konklone.com/post/switch-to-https-now-for-free> in
detail.
But I'm also very pro-"it should be easy to publish things on the
Internet", and key management *is* a pain in the ass. Requiring it
Internet-wide would raise the barrier for people new to web publishing to
get started, and/or make more people just use a *.wordpress.com or *.
whatever.com domain, rather than bother getting their own.
Instead, we should establish very clear norms about HTTPS for services and
web applications of all kinds. If you have the ability to add HTTPS
support, you should, and the mandate is especially clear for hosting
services.
For example, one glaring gap for me is Github Pages. It's impossible to use
HTTPS if you host something via Github Pages, whether or not you use your
own domain name (unless you do something expensive like put CloudFront in
front of it).
Caching with HTTPS is a problem. One source of reluctance for major
platforms to support HTTPS is because CDNs like Akamai raise their prices
drastically if you want HTTPS. That's a major market force that guides the
decision companies make, and it's one we should commit ourselves to
changing.
On Mon, Nov 4, 2013 at 12:28 PM, Peter Saint-Andre <stpeter@stpeter.im>wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 11/4/13 7:50 AM, Greg wrote:
> > Could someone please forward this message to the Elders of the
> > Internet??
> >
> > It's time to make encryption mandatory in all communication
> > protocols.
>
> Some of us are working on that for some protocols:
>
> https://github.com/stpeter/manifesto
>
> Peter
>
> - --
> Peter Saint-Andre
> https://stpeter.im/
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBAgAGBQJSd9lbAAoJEOoGpJErxa2pzhIP/iAdZkNEdgWRrt9N/7Tc06IK
> 3U9zDSzve6BglycwKsCmB8e9+dOuXjw383PiiydbiMDkmUOj7uvkiI069TImfk4E
> Q49WKlBX3rNeqSuk3OAE4CgsnQLxxKns52q4TqfunsDgQS4EJL0xb6VH/O62JxFO
> vjX6N0l6XYS/VnjJJi4jsqAsFjwsx0sVHP30bpvNNqTr511RRSdIa3udUE3CY8mP
> Hf/8V6x6kLQENXgW4lYNyLMG3r4Q3/BkHkurLuw33jdCxNu6Wx4RB5xFPCWKFQyS
> XgrYUBDRfVFHB0OqiukFE0uBqVvuTB9UH47zZiFuN3GM55UJ4TE8gks4W2v7Ku/n
> vby+u/vToqZGGLJYwd2AzyfUag629KhnCbMJ1arp+fd5hMx5O3mbvzB7sJu92Suj
> ZYB3LIkWUc/F5EJXCZN73HhxiyFbkWi5kVfPLkd5UybpI9CNd9Kglh00TBryZ5Ws
> dGF/cOuwtWVOoNn5VeJDFm9MRbDnICwkpguuIdWCZGC8e30A7e4cuR3OFrNVkkfg
> 2ZmFaiVPN93aKeWiXclCkdTwxCXHoRByfSO89Z6QHDhQqbSQ6WMKaidPPbphGyjl
> yyPUG3EsleZQBWdSic+5dgV4TIu2EMzY9IAYGuuNZruFRvr/ZUDnNosIbdg3UnXH
> yNFG+7eTIcVkax5Riqgz
> =S+19
> -----END PGP SIGNATURE-----
> _______________________________________________
> The cryptography mailing list
> cryptography@metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>
--
konklone.com | @konklone <https://twitter.com/konklone>
--001a11c29702b843e004ea5e8c19
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><span style=3D"font-family:arial,sans-serif;font-size:13px=
">I'm very pro-HTTPS for as many places as possible, switched to use it=
on my own site, and=A0</span><a href=3D"https://konklone.com/post/switch-t=
o-https-now-for-free" style=3D"font-family:arial,sans-serif;font-size:13px"=
target=3D"_blank">documented how to do it</a><span style=3D"font-family:ar=
ial,sans-serif;font-size:13px">=A0in detail.</span><div style=3D"font-famil=
y:arial,sans-serif;font-size:13px">
<br></div><div style=3D"font-family:arial,sans-serif;font-size:13px">But I&=
#39;m also very pro-"it should be easy to publish things on the Intern=
et", and key management *is* a pain in the ass. Requiring it Internet-=
wide would raise the barrier for people new to web publishing to get starte=
d, and/or make more people just use a *.<a href=3D"http://wordpress.com/" t=
arget=3D"_blank">wordpress.com</a>=A0or *.<a href=3D"http://whatever.com/" =
target=3D"_blank">whatever.com</a>=A0domain, rather than bother getting the=
ir own.</div>
<div style=3D"font-family:arial,sans-serif;font-size:13px"><br></div><div s=
tyle=3D"font-family:arial,sans-serif;font-size:13px">Instead, we should est=
ablish very clear norms about HTTPS for services and web applications of al=
l kinds. If you have the ability to add HTTPS support, you should, and the =
mandate is especially clear for hosting services.</div>
<div style=3D"font-family:arial,sans-serif;font-size:13px"><br></div><div s=
tyle=3D"font-family:arial,sans-serif;font-size:13px">For example, one glari=
ng gap for me is Github Pages. It's impossible to use HTTPS if you host=
something via Github Pages, whether or not you use your own domain name (u=
nless you do something expensive like put CloudFront in front of it).</div>
<div style=3D"font-family:arial,sans-serif;font-size:13px"><br></div><div s=
tyle=3D"font-family:arial,sans-serif;font-size:13px">Caching with HTTPS is =
a problem. One source of reluctance for major platforms to support HTTPS is=
because CDNs like Akamai raise their prices drastically if you want HTTPS.=
That's a major market force that guides the decision companies make, a=
nd it's one we should commit ourselves to changing.</div>
</div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Mon,=
Nov 4, 2013 at 12:28 PM, Peter Saint-Andre <span dir=3D"ltr"><<a href=
=3D"mailto:stpeter@stpeter.im" target=3D"_blank">stpeter@stpeter.im</a>>=
</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<div class=3D"im"><br>
On 11/4/13 7:50 AM, Greg wrote:<br>
> Could someone please forward this message to the Elders of the<br>
</div>> Internet??<br>
<div class=3D"im">><br>
> It's time to make encryption mandatory in all communication<br>
> protocols.<br>
<br>
</div>Some of us are working on that for some protocols:<br>
<br>
<a href=3D"https://github.com/stpeter/manifesto" target=3D"_blank">https://=
github.com/stpeter/manifesto</a><br>
<br>
Peter<br>
<br>
- --<br>
Peter Saint-Andre<br>
<a href=3D"https://stpeter.im/" target=3D"_blank">https://stpeter.im/</a><b=
r>
<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)<br>
Comment: GPGTools - <a href=3D"http://gpgtools.org" target=3D"_blank">http:=
//gpgtools.org</a><br>
Comment: Using GnuPG with Thunderbird - <a href=3D"http://www.enigmail.net/=
" target=3D"_blank">http://www.enigmail.net/</a><br>
<br>
iQIcBAEBAgAGBQJSd9lbAAoJEOoGpJErxa2pzhIP/iAdZkNEdgWRrt9N/7Tc06IK<br>
3U9zDSzve6BglycwKsCmB8e9+dOuXjw383PiiydbiMDkmUOj7uvkiI069TImfk4E<br>
Q49WKlBX3rNeqSuk3OAE4CgsnQLxxKns52q4TqfunsDgQS4EJL0xb6VH/O62JxFO<br>
vjX6N0l6XYS/VnjJJi4jsqAsFjwsx0sVHP30bpvNNqTr511RRSdIa3udUE3CY8mP<br>
Hf/8V6x6kLQENXgW4lYNyLMG3r4Q3/BkHkurLuw33jdCxNu6Wx4RB5xFPCWKFQyS<br>
XgrYUBDRfVFHB0OqiukFE0uBqVvuTB9UH47zZiFuN3GM55UJ4TE8gks4W2v7Ku/n<br>
vby+u/vToqZGGLJYwd2AzyfUag629KhnCbMJ1arp+fd5hMx5O3mbvzB7sJu92Suj<br>
ZYB3LIkWUc/F5EJXCZN73HhxiyFbkWi5kVfPLkd5UybpI9CNd9Kglh00TBryZ5Ws<br>
dGF/cOuwtWVOoNn5VeJDFm9MRbDnICwkpguuIdWCZGC8e30A7e4cuR3OFrNVkkfg<br>
2ZmFaiVPN93aKeWiXclCkdTwxCXHoRByfSO89Z6QHDhQqbSQ6WMKaidPPbphGyjl<br>
yyPUG3EsleZQBWdSic+5dgV4TIu2EMzY9IAYGuuNZruFRvr/ZUDnNosIbdg3UnXH<br>
yNFG+7eTIcVkax5Riqgz<br>
=3DS+19<br>
-----END PGP SIGNATURE-----<br>
<div class=3D"HOEnZb"><div class=3D"h5">___________________________________=
____________<br>
The cryptography mailing list<br>
<a href=3D"mailto:cryptography@metzdowd.com">cryptography@metzdowd.com</a><=
br>
<a href=3D"http://www.metzdowd.com/mailman/listinfo/cryptography" target=3D=
"_blank">http://www.metzdowd.com/mailman/listinfo/cryptography</a><br>
</div></div></blockquote></div><br><br clear=3D"all"><div><br></div>-- <br>=
<div dir=3D"ltr"><div><a href=3D"http://konklone.com" target=3D"_blank">kon=
klone.com</a> | <a href=3D"https://twitter.com/konklone" target=3D"_blank">=
@konklone</a><br>
</div></div>
</div>
--001a11c29702b843e004ea5e8c19--
--===============4555790440125535671==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============4555790440125535671==--
