[Cryptography] HTTP should be deprecated.
John Kelsey
crypto.jmk at gmail.com
Mon Nov 4 12:44:17 EST 2013
On Nov 4, 2013, at 10:50 AM, Greg <greg at kinostudios.com> wrote:
> Could someone please forward this message to the Elders of the Internet™?
>
> It's time to make encryption mandatory in all communication protocols.
Amen! The default for anything going over a communications network should be encrypted and autheticated. In the rare cases where that isn't appropriate for some reason, that should be the thing that requires justification. Instead, the opposite seems to hold--the default is unencrypted and unauthenticated, and anyone who wants to add crypto has to show why it's necessary.
The sticking point here is key management, which is a big potential administrative pain in the ass. But it's worth wondering if we could at least get widespread use of Diffie-Hellman + GCM as a default. There is no key management there, and no defense against MIM attacks, but at least everything doesn't go out in the clear.
But at this point, most websites don't even support an https request.
--John
>
> Thx,
>
> - Greg
>
> --
> Please do not email me anything that you are not comfortable also sharing with the NSA.
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
More information about the cryptography
mailing list