<div dir="ltr">A few things are pretty clear:<div><br></div><div>* Whether or not everything should be HTTPS, clearly more should be.</div><div>* HTTPS has lots of problems and doesn't solve everything.</div><div>* HTTPS breaks some kinds of caching, and doesn't affect others.</div>
<div>* CDNs charge waaayyyy more to serve your data as HTTPS. This affects the behavior of institutions that use CDNs.</div><div>* Google and others are backing SPDY as the next HTTP 2.0, which would have TLS on for all traffic. Google cares about performance and efficiency more than anyone else on the Web, and they think TLS is just fine. SPDY/HTTP2 is built to extend the Web with lots of different performance gains.</div>
<div><br></div><div>HTTP2 being all-TLS would effectively deprecate HTTP in favor of HTTPS. I think this is where the Web is going, and we should look at whatever downsides that would cause and start addressing them now.</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Nov 11, 2013 at 8:03 PM, Patrick Mylund Nielsen <span dir="ltr"><<a href="mailto:cryptography@patrickmylund.com" target="_blank">cryptography@patrickmylund.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="im"><div>On Mon, Nov 11, 2013 at 7:45 PM, Lodewijk andré de la porte <span dir="ltr"><<a href="mailto:l@odewijk.nl" target="_blank">l@odewijk.nl</a>></span> wrote:<br>
</div></div><div class="gmail_extra"><div class="gmail_quote"><div class="im">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra">I'm sorry, no. There is information that is simply public. To intricately confuse them through our petty plays with numbers would be nothing but waste of time and all the peoples' resources.</div>
</div></blockquote><div><br></div></div><div>I think you missed John's point, which was that, while the information may be something that is readily accessible to all, the fact that YOU are accessing it is interesting information. And that's true, but somebody is going to get that information whether or not the channel is encrypted.</div>
<div class="im">
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra">Think of the caching disadvantages!</div></div></blockquote><div><br>
</div></div><div>Which? It's very easy to cache stuff when HTTPS is used, either server-side or client-side (Cache-Control header.) It's just a transport.</div><div><br></div><div>The fact that the CA model is a mess and browsers depend on it is a much bigger disadvantage.</div>
</div></div></div>
<br>_______________________________________________<br>
The cryptography mailing list<br>
<a href="mailto:cryptography@metzdowd.com">cryptography@metzdowd.com</a><br>
<a href="http://www.metzdowd.com/mailman/listinfo/cryptography" target="_blank">http://www.metzdowd.com/mailman/listinfo/cryptography</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><div>
<a href="http://konklone.com" target="_blank">konklone.com</a> | <a href="https://twitter.com/konklone" target="_blank">@konklone</a><br></div></div>
</div>