Re: HTTPS everywhere for the IETF

From Toxic Rhinoceros, 10 Years ago, written in Plain Text.

URL http://geopaste.scratchbook.ch/view/56429313

Embed

Browsers don't send singular messages containing anonymous information. They send a complex

sequence of messages to multiple parties with an interaction pattern and communication state.

The more complex and encrypted the communication, the more uncommon state and direct

communication is required, which makes it easier to track a person across multiple requests

until the user's identity is revealed. Furthermore, with TLS in place, it becomes easy and

commonplace to send stored authentication credentials in those requests, without visibility,

and without the ability to easily reset those credentials (unlike in-the-clear cookies).

Padding has very little effect. It isn't just the message sizes that change -- it is all

of the behavior that changes, and all of the references to that behavior in subsequent

requests, and the effects of those changes on both the server and the client.

TLS does not provide privacy. What it does is disable anonymous access to ensure authority.

It changes access patterns away from decentralized caching to more centralized authority control.

That is the opposite of privacy. TLS is desirable for access to account-based services wherein

anonymity is not a concern (and usually not even allowed). TLS is NOT desirable for access to

public information, except in that it provides an ephemeral form of message integrity that is

a weak replacement for content integrity.

If the IETF wants to improve privacy, it should work on protocols that provide anonymous

access to signed artifacts (authentication of the content, not the connection) that is

independent of the user's access mechanism.

I have no objection to the IESG proposal to provide information *also* via https. It would

be better to provide content signatures and encourage mirroring, just to be a good example,

but I don't expect eggs to show up before chickens. However, I agree with Tony's assessment:

most of the text is nothing more than a pompous political statement, much like the sham of

"consensus" that was contrived at the Vancouver IETF.

TLS everywhere is great for large companies with a financial stake in Internet centralization.

It is even better for those providing identity services and TLS-outsourcing via CDNs.

It's a shame that the IETF has been abused in this way to promote a campaign that will

effectively end anonymous access, under the guise of promoting privacy.

....Roy

Author

Title

Language

Your paste - Paste your paste here

Browsers don't send singular messages containing anonymous information.  They send a complex
sequence of messages to multiple parties with an interaction pattern and communication state.
The more complex and encrypted the communication, the more uncommon state and direct
communication is required, which makes it easier to track a person across multiple requests
until the user's identity is revealed.  Furthermore, with TLS in place, it becomes easy and
commonplace to send stored authentication credentials in those requests, without visibility,
and without the ability to easily reset those credentials (unlike in-the-clear cookies).

Padding has very little effect.  It isn't just the message sizes that change -- it is all
of the behavior that changes, and all of the references to that behavior in subsequent
requests, and the effects of those changes on both the server and the client.

TLS does not provide privacy.  What it does is disable anonymous access to ensure authority.
It changes access patterns away from decentralized caching to more centralized authority control.
That is the opposite of privacy.  TLS is desirable for access to account-based services wherein
anonymity is not a concern (and usually not even allowed).  TLS is NOT desirable for access to
public information, except in that it provides an ephemeral form of message integrity that is
a weak replacement for content integrity.

If the IETF wants to improve privacy, it should work on protocols that provide anonymous
access to signed artifacts (authentication of the content, not the connection) that is
independent of the user's access mechanism.

I have no objection to the IESG proposal to provide information *also* via https.  It would
be better to provide content signatures and encourage mirroring, just to be a good example,
but I don't expect eggs to show up before chickens.  However, I agree with Tony's assessment:
most of the text is nothing more than a pompous political statement, much like the sham of
&quot;consensus&quot; that was contrived at the Vancouver IETF.

TLS everywhere is great for large companies with a financial stake in Internet centralization.
It is even better for those providing identity services and TLS-outsourcing via CDNs.
It's a shame that the IETF has been abused in this way to promote a campaign that will
effectively end anonymous access, under the guise of promoting privacy.

....Roy

Create Shorturl - Create a shorter url that redirects to your paste?

Private - Private paste aren't shown in recent listings.

Delete After - When should we delete your paste?

Re: HTTPS everywhere for the IETF

Reply to "Re: HTTPS everywhere for the IETF"