ietf
[Top] [All Lists]

Re: https

2011-08-26 05:51:02
On Fri, Aug 26, 2011 at 09:18:41AM +0200, t.petch wrote:
Why does the IETF website consider it necessary to use TLS to access
the mailing list archives, when they all appeared without it, or any
other security, in the first place?

TLS provides more than confidentiality--it also provides authenticity.
If I were living in a hostile regime, I'd appreciate knowing that the
RFCs, etc that I'm getting really come from the IETF unmodified.

Also, as a general principle, I'd rather someone not be able to read
over my shoulder, even if it is harmless stuff. Using encryption only
when I need it makes all of my encrypted traffic less secure.

For example, if I were out to modify the traffic you read to make sure
that you didn't even know that a working group existed, I'd have a lot
easier time of it if you use DNS without DNSSEC, HTTP without TLS, TLS
without HASTLS, DANE, HSTS, etc. Now, not all of that is completed
protocol work, but one step at a time.

Besides all the usual hassle of TLS, today the certificate is reported
by IE as expired, which sort of sums it up.

Mistakes happen. Hopefully lessons are learned so that they don't get
repeated.

If it's a protocol problem, whose fault is that but ours?

-- 
Scott Schmit
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>