[148176] in cryptography@c2.net mail archive
Re: [Cryptography] Fwd: Moving forward on improving HTTP's security
daemon@ATHENA.MIT.EDU (John Kelsey)
Wed Nov 13 20:04:28 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <AEBA9C2F-E264-40BF-889B-42E31BC02BC0@kinostudios.com>
From: John Kelsey <crypto.jmk@gmail.com>
Date: Wed, 13 Nov 2013 19:05:59 -0500
To: Greg <greg@kinostudios.com>
Cc: Cryptography <cryptography@metzdowd.com>,
"cryptography@randombit.net" <cryptography@randombit.net>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Nov 13, 2013, at 1:40 PM, Greg <greg@kinostudios.com> wrote:
> If you haven't heard, the IETF is trying to move forward with "HTTP 2.0", which is, from what I can tell, simply "HTTPS all the time".
>
> We know HTTPS is broken and that it gives people a false sense of security, leading them to share material that they otherwise might not share, with potentially life threatening consequences.
So your solution is what? Continue sending data in the clear?
Why not push to get TLS used everywhere, and also push for certificate transparency and EA certs to make it harder to do CA attacks? Right now, the default is to send data out unencrypted over a network that is apparently being heavily spied on. Turning on crypto by default isn't a perfect answer, but I think it's the best one we can reach quickly.
--John
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
