[Cryptography] Moving forward on improving HTTP's security

[ianG]

On 15/11/13 01:25 AM, Owen Shepherd wrote:
> And lose the one opportunity we get to force traffic over to TLS for
> more than a decade?


There is a complicated choice here:  Get HTTPS everywhere, get CAs 
everywhere, or some combination in-between.  The problem here is that 
the combination of these two axes (and a few more) is likely an 
unsolvable equation, but we can see where some of the extremes are:

   i. Get all-TLS & get all-CAs:  fail.  All CAs will fall to the state.

(This of course can be seen as a tinfoil claim, and it is easy to 
dismiss because people simply don't know the reality.  FWIW, been there, 
got the t-shirt:  CAs are a legitimate, popular and priority target of 
the TLAs.)

   ii. Get TLS (or HTTPS) as an option:  fail.  This is the current 
situation, and results in the downgrade attack.  SSL then provides 
loose, maybe, sometimes security, which cannot be relied upon *and* it 
is expensive because of all the load that other systems place on people. 
  That's an unacceptable compromise.



The path from endpoint (ii) is rocky, and may or may not lead to 
endpoint (i).

For my money, I assume that everyone can see that if we TLS-everything, 
then we cannot accept CAs everywhere, and we must add easy opportunistic 
encryption.

I might be wrong;  there is a lot of vested interest that can only see 
their own paycheck, and they are making good money claiming that 
HTTPS+CAs is a complete security package for now and the future, we just 
need to PKI-'em harder!



iang