On 06/01/2015 11:18 PM, Niels Dettenbach (Syndicat.com) wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Encryption everywhere is good.
You mean Evers public information should be encrypted? I.e. Radio vor TV? Can't see the
"feature", sorry...
have you looked at your cable TV lately? Or your DAB radio?
Once a connection is encrypted and certificate-protectedhole class
of worries can be removed from the threat models; having fewer things
to
worry about is great when designing protocol stacks.
This is correct by theory in many, but not all cases and not in practice.
A https geht takes up to multiple times of energy and computing resources. I
prefer efficiency even in protocols - resources should be user for real (not
only theoretic) added value.
See the Great Cannon attack. Allowing in-flight modification of
resources (which using HTTP is) is not just a theoretical danger to
yourself, it's a practical danger to anyone on the Net.
But since you're not convinced by the language of the IESG note, me
repeating it won't make you more convinced. Sorry 'bout that.
Browser HTTP-SSL/TLS isn't "just encrypt and forget" as long as you really
unterstand the whole infrastruture and setup in practice including their implications
today - and not in theory only. This is not like and comparable with the migration from
telnet to SSH and even not with SMTP TLS/SSL...
It's more comparable with the transition from bang-path addresses to DNS
notation, yes.
And getting a faked x509 i.e. for mitm is more a question of some money and/or
third party CA securitiy and not at first of secure crypto algos or similiar.
And blocking plaintext http is no feature - it is at max a lack of...
Not a part of this proposal.
Sorry...
best regards,
Niels.
- ---
Niels Dettenbach
Syndicat IT & Internet
http://www.syndicat.com
-----BEGIN PGP SIGNATURE-----
iQJZBAEBCABDPBxOaWVscyBEZXR0ZW5iYWNoIChTeW5kaWNhdCBJVCAmIEludGVy
bmV0KSA8bmRAc3luZGljYXQuY29tPgUCVWzMLwAKCRANu1qIRZIqRBm5D/43u9NJ
Ex2CxQwIXUcuPaPEr/2geCTgGgRBnUb46fzVwf5OlPnQqA+urr1EajpY3XRdWF5r
jmqnfS/ESYL4q3DV3CC8mW1a4uZWQX85+2fvCra8/nzyKP653jAZvSuqGZAnzGuq
ZDM33932y5GKcPLl86C7WG/QqZ7Yb6SPukTUnDY5z0DcbyBIgqAwF0D3N5P7dk49
iaZY31z1F7rI1PvPS874sH4NVnSUh1N8OakRy5tCtQn4WVlaN1WBu+bzzCmsudgw
Oh7o/BWKFGzDTNGpfsyqmzcepHsmoAPcCtbrQOadX2HFxjqzB+NJwwSLSn9koQlH
xnDhDkx0avolGa3nciubPTSJkAp1wFXj9e0zeJX8dGTOjzyJTDrDxNnYkszTnSS/
X0HnoDo3Uo638Ho9sAcweZJ3XNibNNn5ekdU9kd/rBAIHaWG1m4zshMglupJPyst
u0fvqBJi8AXznQ2Qv27CwjNWQSV37NFZcrkzg22f4GB43MJ1+utgTvEX2ft7uhrz
HJug38x8BH0vrLXpcvlKA2f6SaOCfIhCoqv4+SLVHQLE7IoG2ZxdoY4795ORGHFc
NsyfMB1ah52E3/pZjS1NhFhr4ndUQg5jp0eaLF5XhteRS2Zlw8wmYlP2qicpe3T2
S4tO7+56PhnsZQhB8GnDZMnPN9HgD9KsMNEWGg==
=5dba
-----END PGP SIGNATURE-----