[148113] in cryptography@c2.net mail archive
Re: [Cryptography] HTTP should be deprecated.
daemon@ATHENA.MIT.EDU (John Kelsey)
Mon Nov 11 17:42:51 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <21118.54522.163677.721484@desk.crynwr.com>
From: John Kelsey <crypto.jmk@gmail.com>
Date: Mon, 11 Nov 2013 14:49:44 -0500
To: Russ Nelson <nelson@crynwr.com>
Cc: Greg <greg@kinostudios.com>,
"cryptography@metzdowd.com List" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Nov 9, 2013, at 7:36 PM, Russ Nelson <nelson@crynwr.com> wrote:
> I'm not going to bother encrypting connections to a website that only
> offers up public data.
There are a lot of examples of public data where it's interesting to someone that you are looking it up. There might be people who would like to know that you are really interested in public articles on staging of breast cancer, or protease inhibitors, or gender reassignment surgery. Some of those people might not have your best interests at heart.
Anyway, encryption is just not that expensive, and we are clearly in an environment where lots of spying is going on. My feeling is that the default for communications going over a network should be encrypted and authenticated, and *not* encrypting/authenticating it should require a justification. That's the opposite of today, where the default is unprotected, and only when a case can be made for the data needing protection is there any thought that we might want to encrypt and authenticate it.
--John
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
