[Cryptography] Moving forward on improving HTTP's security

[Bear]

On Sat, 2013-11-23 at 10:14 -0500, John Kelsey wrote:
> NSA is a good model for the attacker, but there are a lot of attackers that aren't NSA, ranging from nosy neighbors to local cops to criminals to foreign governments to big companies and their ethics-free contractors.  Moving to TLS everywhere will make eavesdropping harder across the board, and will be more effective the more we apply additional defenses against mitm attacks.  


I am particularly concerned about foreign governments, especially 
those in developed nations where chips and consumer electronics 
are fabricated.  After all, if the NSA is an example of what
intelligence agencies are doing, then we may assume that it is not 
the only such example, nor likely even the one with the most
comprehensive program of surveillence.  Nor is anyone else likely 
to limit themselves to so called "Metadata," even though Metadata 
is equivalent to long-term close surveillence in a way that the 
texts of our mails are not and if anything even more of an invasion 
of privacy. 

As long as we leave the infrastructure capable of being suborned, 
we will not know who nor how many are reading everyone's mail or
collecting information files on every human being in the world. 

Bruce Schneier posted the other day about detected MITM attacks, 
some of them quite large-scale and others quite closely targeted, 
that have been diverting http and mail traffic by suborning DNS.  

I first learned of such an attack over 20 years ago when a 
local foaming-at-the-mouth you're-all-going-to-hell style 
minister used it against a local government official, whose 
mail to her husband (with whom she was having marital problems) 
he then reprinted and faxed to thousands of people under the 
headline "Jezebellian Whore!"  

That was 20 years ago.  Why hasn't it been fixed by now??  Why 
is this attack still possible, if the entire world hasn't been 
derelict in their duty, wilfully complicit, or asleep at the wheel?


Bear