ietf
[Top] [All Lists]

RE: [IAB] Mandatory encryption as part of HTTP2

2013-11-15 07:55:00
That aside, just saying "you MUST do TLS with HTTP/2.0" doesn't buy much 
security in a world 
where CAs are not trustworthy, people still use RC4/MD5, use woefully short 
keys for 
otherwise strong algorithms, browsers have effectively trained people to 
always click 
"visit anyway" and so on.

I believe that this proposal was in line with Bruce Schneier's suggestion at 
the plenary.
Do anything to make more work for people trying to listen in to everything on 
the Internet.

For example, put a key at the top of the content and then encrypt using this 
key.
This is meaningless from the confidentiality point of view, 
but eats up computational resources and energy for someone trying to vacuum up 
everything.

Even better - when you don't have anything to transmit, send meaningless 
supposed encrypted packets. 
If everyone did this their storage costs would skyrocket.
Even better, send packets with easily broken encryption containing keywords of 
interest.

Y(J)S