[Cryptography] HTTP should be deprecated.
John Kelsey
crypto.jmk at gmail.com
Mon Nov 11 14:49:44 EST 2013
On Nov 9, 2013, at 7:36 PM, Russ Nelson <nelson at crynwr.com> wrote:
> I'm not going to bother encrypting connections to a website that only
> offers up public data.
There are a lot of examples of public data where it's interesting to someone that you are looking it up. There might be people who would like to know that you are really interested in public articles on staging of breast cancer, or protease inhibitors, or gender reassignment surgery. Some of those people might not have your best interests at heart.
Anyway, encryption is just not that expensive, and we are clearly in an environment where lots of spying is going on. My feeling is that the default for communications going over a network should be encrypted and authenticated, and *not* encrypting/authenticating it should require a justification. That's the opposite of today, where the default is unprotected, and only when a case can be made for the data needing protection is there any thought that we might want to encrypt and authenticate it.
--John
More information about the cryptography
mailing list