Am Montag, 1. Juni 2015, 13:16:10 schrieb Richard Barnes:
Do it. Do it boldly and fearlessly. Make the statement and implement it.
Don't be tied to legacy. Anything that doesn't support HTTPS at this point
needs to upgrade and deserves to be broken.
...sorry guys, but please don't be so "blind" and "populistic".
I have no Problem with SSL/TLS as an general option (!) to access public IETF
HTTP services / documents - but not as a general "fact". Pls implement DNSSEC
and such stuff as far as not done att which makes more sense.
Beside the fact that the IETF has no own "accredited" SSL/x509 root in the
major browsers and i assume the IETF would not use a non "certified" or "self
signed" root - why should i "trust" and use any third party certification from
any company i don't (want to and/or can) know?
And why should (usually not thumb...) IETF readers / users are not able to
decide if they want or "need" that TLS/SSL product the IETF would offer?
SSL/TLS would do no more then make shure that any third party company "trust"
a connection to the IETF and as long as you "trust" them, the content (most of
a still very public type) of your requests should not be readable by MitM - by
their own policies which may be conform to the browsers / browser alliance
policies (which is primarily a policy of high fees from my view...).
SSL/TLS does NOT deliver anonymity to the users - and the most parts of the
IETF web content is public accessible. And people who need anonymity have
other an probably even better ways to get that HTTP (i.e. cryptotunnels or TOR
to anywhere who they are "safe").
Shure - TLS/SSL has their applications in different fields - but i can't
follow this current "encrypt anything" attitude from different social vectors
today (in germany we have the first politicans who would do that by law to any
"internet communication"...).
There are many scenarios where it is far from a "requirement" and even some
where it is just non sense to block non encrypted / authenticated usage.
Encryption costs energy (and even if you have the money - it generates at
least further CO2) and other ressources - so it makes no sin to use it where
it doesn't has a value at least from the users view. These effect is
multiplied when even robots / agents / spiders and other automatized services
where data integrity is not primarily or other reasons behind have only the
option HTTPS.
The major resons the most peoples fighting today for that "encryping anything"
thing i heared are usually:
- "The NSA could read anything otherwise. We need our privacy integrity
back..."
-> such services are much more interested in meta data of communication, which
is even widely accessible for HTTPS / SSL / TLS "secured" connections and it
IS accessible not at least because governments / democracies are giving them
access top by law. Change the law if you would change that - but don't cripple
the non-political net.
-> And if "the NSA" (or many others "services") want to get into a software
product or encryption stack, they have many options by law - even in other
countries.
- "The Mozilla Team" and/or "well known peoples around" that scene has
announced, that Firefox will block "unencrypted", "non ssl" HTTP in "future
versions" as a "Feature" for their users.
-> Beside the fact that i wouldnÄ't use Firefox anymore at that time - even if
Firefox is an Open Source product, but not a "pure" community project - the
browser project still makes his own money - not at least by selling licenses
to companies which want to print money by "certifying" for that browsers (in
SSL / TLS / x509). Take a look at the (at least formerly) yearly fees
("audition fees" or such called, but much higher then a certification does
take as work...) they take and you will take a new voew onto their "high
skilled arguments from a pure technical view"...
Ergo: The HTTP SSL and TLS technology and infrastructure is useful in much
more special scenarios then most peoples think it is - because of very
difficult and complex, intransparent collidation of interests of different
parties in the current (trust) structure.
- And: there ARE poeples and services which doen't allow encrypted access for
legal or organisational reasons - it would not be nice to block interested
poeples from such user "societies" which are not usually free to decide for an
alternative byself.
And for me personal: I use a 7 year old cell phone to read http stuff in my
spare time and do not understand why i should buy a new one for the very same
application. "legacy" means that there are newer standards which offer ME more
value i WANT - and not others mean that i HAVE TO WANT. Buying a new phone for
just using encryption i don't want is non sense. I would could afford it, but
i (personally) think the ressources are better to use otherwhere (or even not
used).
in short:
+1 for SSL as an option (ideally with IETFs own x509 root CA)
-1 for blocking plain text HTTP at general
just my two cents - sorry for the noise,
and my (probably) bad english,
Niels.
--
---
Niels Dettenbach
Syndicat IT & Internet
http://www.syndicat.com
PGP: https://syndicat.com/pub_key.asc
---
signature.asc
Description: This is a digitally signed message part.