[Cryptography] Moving forward on improving HTTP's security
ianG
iang at iang.org
Sun Nov 24 05:38:52 EST 2013
On 23/11/13 18:14 PM, John Kelsey wrote:
> NSA is a good model for the attacker, but there are a lot of attackers that aren't NSA, ranging from nosy neighbors to local cops to criminals to foreign governments to big companies and their ethics-free contractors. Moving to TLS everywhere will make eavesdropping harder across the board, and will be more effective the more we apply additional defenses against mitm attacks.
I agree. There might still be some debate about how we get there.
Going HTTPS with the current (PKI v. MITM) arrangement is not going to
work, IMHO, because of the economics.
Look at the OODA cycle for changes in SSL, it's minimum 3.5 years [0]
more likely a decade (SNI, MD5). Now apply an OODA prediction across to
the HTTP world. It will be longer for a dramatic, non-compatible,
costly change.
The only economic way this is going to happen is if the change is
cost-free, plus-benefit and is viral. Turning on opportunistic
encryption is one way that meets those goals, give or take. Like
STARTTLS, if I recall correctly.
( And, for those who are upset at the NSA and their "golden age of
SIGINT" [1] opportunistic encryption has an added bonus of stopping the
easy flow of economic intel across to the various agencies of interest.
That alone is worth the price -- cryptography advances in employment
have always been pushed by the perception of danger, not by the real
dangers. )
iang
[0] http://financialcryptography.com/mt/archives/001210.html
[1] Thank you John Young and Edward Snowden:
http://cryptome.org/2013/11/nsa-sigint-strategy-2012-2016.pdf
"For decades, Signals Intelligence has sustained deep and persistent
access to all manner of adversaries to inform and guide the actions and
decisions of Presidents, military commanders, policy makers and
clandestine service officers. As the world has changed, and global
interdependence and the advent of the information age have transformed
the nature of our target space, we have adapted in innovative and
creative ways that have led some to describe the current day as “the
golden age of SIGINT.” "
More information about the cryptography
mailing list