[148123] in cryptography@c2.net mail archive
Re: [Cryptography] HTTP should be deprecated.
daemon@ATHENA.MIT.EDU (Patrick Mylund Nielsen)
Mon Nov 11 19:32:39 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <C726DA24-BFEB-4EE8-9963-87B6481F756B@gmail.com>
Date: Mon, 11 Nov 2013 19:18:02 -0500
From: Patrick Mylund Nielsen <cryptography@patrickmylund.com>
To: John Kelsey <crypto.jmk@gmail.com>
Cc: Russ Nelson <nelson@crynwr.com>, Greg <greg@kinostudios.com>,
"cryptography@metzdowd.com List" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============1475733654226844452==
Content-Type: multipart/alternative; boundary=047d7b6706d51ccbf004eaefc886
--047d7b6706d51ccbf004eaefc886
Content-Type: text/plain; charset=UTF-8
On Mon, Nov 11, 2013 at 2:49 PM, John Kelsey <crypto.jmk@gmail.com> wrote:
> On Nov 9, 2013, at 7:36 PM, Russ Nelson <nelson@crynwr.com> wrote:
> > I'm not going to bother encrypting connections to a website that only
> > offers up public data.
>
> There are a lot of examples of public data where it's interesting to
> someone that you are looking it up. There might be people who would like
> to know that you are really interested in public articles on staging of
> breast cancer, or protease inhibitors, or gender reassignment surgery.
> Some of those people might not have your best interests at heart.
>
I don't disagree with you, but it's important to note that thousands of
companies are getting this kind of information whether the sites you're
browsing are delivered via HTTPS or not. It's virtually impossible to find
a major website that doesn't employ some kind of third-party tracking,
including sites like webmd.com. This is not to mention the difficulty of
finding out what information these companies are actually collecting and
what they're using it for.
I do think that MITMs (e.g. NSA) being able to identify your interests,
health issues, etc. is a concern, but that uncontrolled tracking is a much
bigger one. After all, the NSA can just compel one of those tracking
companies, or a site itself, to give up all their information--then SSL
won't have helped you.
--047d7b6706d51ccbf004eaefc886
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">On Mon, Nov 11, 2013 at 2:49 PM, John Kelsey <span dir=3D"=
ltr"><<a href=3D"mailto:crypto.jmk@gmail.com" target=3D"_blank">crypto.j=
mk@gmail.com</a>></span> wrote:<br><div class=3D"gmail_extra"><div class=
=3D"gmail_quote">
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex">On Nov 9, 2013, at 7:36 PM, Russ Nelson <<a href=3D"mai=
lto:nelson@crynwr.com">nelson@crynwr.com</a>> wrote:<br>
> I'm not going to bother encrypting connections to a website that o=
nly<br>
> offers up public data.<br>
<br>
There are a lot of examples of public data where it's interesting to so=
meone that you are looking it up. =C2=A0There might be people who would lik=
e to know that you are really interested in public articles on staging of b=
reast cancer, or protease inhibitors, or gender reassignment surgery. =C2=
=A0Some of those people might not have your best interests at heart.<br>
</blockquote><div><br></div><div style=3D"font-family:arial,sans-serif;font=
-size:12.727272033691406px">I don't disagree with you, but it's imp=
ortant to note that thousands of companies are getting this kind of informa=
tion whether the sites you're browsing are delivered via HTTPS or not. =
It's virtually impossible to find a major website that doesn't empl=
oy some kind of third-party tracking, including sites like=C2=A0<a href=3D"=
http://webmd.com/" target=3D"_blank">webmd.com</a>. This is not to mention =
the difficulty of finding out what information these companies are actually=
collecting and what they're using it for.</div>
<div style=3D"font-family:arial,sans-serif;font-size:12.727272033691406px">=
<br></div><div><span style=3D"font-family:arial,sans-serif;font-size:12.727=
272033691406px">I do think that MITMs (e.g. NSA) being able to identify you=
r interests, health issues, etc. is a concern, but that uncontrolled tracki=
ng is a much bigger one. After all, the NSA can just compel one of those tr=
acking companies, or a site itself, to give up all their information--then =
SSL won't have helped you.</span></div>
</div></div></div>
--047d7b6706d51ccbf004eaefc886--
--===============1475733654226844452==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============1475733654226844452==--
