[Cryptography] Fwd: Moving forward on improving HTTP's security

John Kelsey crypto.jmk at gmail.com
Wed Nov 13 19:05:59 EST 2013


On Nov 13, 2013, at 1:40 PM, Greg <greg at kinostudios.com> wrote:

> If you haven't heard, the IETF is trying to move forward with "HTTP 2.0", which is, from what I can tell, simply "HTTPS all the time".
> 
> We know HTTPS is broken and that it gives people a false sense of security, leading them to share material that they otherwise might not share, with potentially life threatening consequences.

So your solution is what?  Continue sending data in the clear?  

Why not push to get TLS used everywhere, and also push for certificate transparency and EA certs to make it harder to do CA attacks?  Right now, the default is to send data out unencrypted over a network that is apparently being heavily spied on.  Turning on crypto by default isn't a perfect answer, but I think it's the best one we can reach quickly.  

--John



More information about the cryptography mailing list