Nevermind, I'll just use a vendor extension. Goodbye.
Rinse and repeat with any other protocol that allows extensions.
That’s a very practical concern. If standard solutions are too hard to develop,
then products will use proprietary solutions instead, and we will not have won
much defense against pervasive monitoring.
I personally agree with the general idea that new developments should consider
PM as part of the threat model. But Elliot makes a good point. In practice, the
good reviews don’t stop at negative advice, “don’t do this because the spooks
will snoop.” The better reviews go on with “do this instead, it is almost as
easy to use and it provides much better privacy.”
It would be interesting to list the specific patterns that are most likely to
trigger the “bad because of PM” comments, and to develop secure alternatives.
From what I see, there seems to be two big offenders, logs and configuration.
So maybe we should develop a simple way to anonymize logs, and a secure way to
get configuration data…
-- Christian Huitema