[Cryptography] Moving forward on improving HTTP's security

ianG iang at iang.org
Sun Nov 24 05:38:52 EST 2013 

On 23/11/13 18:14 PM, John Kelsey wrote:
> NSA is a good model for the attacker, but there are a lot of attackers that aren't NSA, ranging from nosy neighbors to local cops to criminals to foreign governments to big companies and their ethics-free contractors.  Moving to TLS everywhere will make eavesdropping harder across the board, and will be more effective the more we apply additional defenses against mitm attacks.


I agree.  There might still be some debate about how we get there.

Going HTTPS with the current (PKI v. MITM) arrangement is not going to 
work, IMHO, because of the economics.

Look at the OODA cycle for changes in SSL, it's minimum 3.5 years [0] 
more likely a decade (SNI, MD5).  Now apply an OODA prediction across to 
the HTTP world.  It will be longer for a dramatic, non-compatible, 
costly change.

The only economic way this is going to happen is if the change is 
cost-free, plus-benefit and is viral.  Turning on opportunistic 
encryption is one way that meets those goals, give or take.  Like 
STARTTLS, if I recall correctly.

( And, for those who are upset at the NSA and their "golden age of 
SIGINT" [1] opportunistic encryption has an added bonus of stopping the 
easy flow of economic intel across to the various agencies of interest. 
  That alone is worth the price -- cryptography advances in employment 
have always been pushed by the perception of danger, not by the real 
dangers. )



iang



[0] http://financialcryptography.com/mt/archives/001210.html

[1] Thank you John Young and Edward Snowden:
http://cryptome.org/2013/11/nsa-sigint-strategy-2012-2016.pdf

"For decades, Signals Intelligence has sustained deep and persistent 
access to all manner of adversaries to inform and guide the actions and 
decisions of Presidents, military commanders, policy makers and 
clandestine service officers. As the world has changed, and global 
interdependence and the advent of the information age have transformed 
the nature of our target space, we have adapted in innovative and 
creative ways that have led some to describe the current day as “the 
golden age of SIGINT.” "

More information about the cryptography mailing list