[Cryptography] HTTP should be deprecated.

Patrick Mylund Nielsen cryptography at patrickmylund.com
Mon Nov 11 19:18:02 EST 2013


On Mon, Nov 11, 2013 at 2:49 PM, John Kelsey <crypto.jmk at gmail.com> wrote:

> On Nov 9, 2013, at 7:36 PM, Russ Nelson <nelson at crynwr.com> wrote:
> > I'm not going to bother encrypting connections to a website that only
> > offers up public data.
>
> There are a lot of examples of public data where it's interesting to
> someone that you are looking it up.  There might be people who would like
> to know that you are really interested in public articles on staging of
> breast cancer, or protease inhibitors, or gender reassignment surgery.
>  Some of those people might not have your best interests at heart.
>

I don't disagree with you, but it's important to note that thousands of
companies are getting this kind of information whether the sites you're
browsing are delivered via HTTPS or not. It's virtually impossible to find
a major website that doesn't employ some kind of third-party tracking,
including sites like webmd.com. This is not to mention the difficulty of
finding out what information these companies are actually collecting and
what they're using it for.

I do think that MITMs (e.g. NSA) being able to identify your interests,
health issues, etc. is a concern, but that uncontrolled tracking is a much
bigger one. After all, the NSA can just compel one of those tracking
companies, or a site itself, to give up all their information--then SSL
won't have helped you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131111/8eaf23b4/attachment.html>


More information about the cryptography mailing list