[Cryptography] [cryptography] STARTTLS for HTTP

Jerry Leichter leichter at lrw.com
Tue Aug 19 06:06:32 EDT 2014


On Aug 19, 2014, at 2:09 AM, Ryan Carboni <ryacko at gmail.com> wrote:
> It would be secure against wifi eavesdropping. But worse it might instill a false sense of security.
Ah, that famous "false sense of security".  Justifying not doing anything - because we can't do the absolute best - since, what, 1985 or so?

As always, specifying (a) what attacks you need to defend against; (b) how much you're willing to pay; is essential.  For most people, (b) is "not very much" (where the payment will be in inconvenience).  For most people, the most likely attack is "none at all"; the second most likely attack is "passive listening".  Active MITM is way down there.  Opportunistic encryption is much better than what they would otherwise have, which is nothing at all.

Besides, there are positive effects on the larger eco-system:  The more traffic that's encrypted, the harder mass monitoring becomes.

                                                        -- Jerry



More information about the cryptography mailing list