[Cryptography] The role of the IETF in security of the Internet: for or against the NSA? for or against the security of users of the net?
tpb-crypto at laposte.net
tpb-crypto at laposte.net
Tue Mar 25 18:33:04 EDT 2014
> Message du 25/03/14 20:19
> De : "Eric Mill"
> A : "ianG"
> Copie à : "Cryptography"
> Objet : Re: [Cryptography] The role of the IETF in security of the Internet: for or against the NSA? for or against the security of users of the net?
>
> I personally enjoyed what Mark Nottingham (who is chairing the IETF HTTP2
> working group) wrote on the matter:
>
> http://www.mnot.net/blog/2014/01/04/strengthening_http_a_personal_view
> http://www.mnot.net/blog/2014/01/30/http2_expectations
>
> From the last one, "what to expect from http 2":
>
> 6. More Encryption
>
> HTTP/2 doesn't require you to use TLS (the standard form of SSL, the Web's
> encryption layer), but its higher performance makes using encryption
> easier, since it reduces the impact on how fast your site seems.
>
> In fact, many people believe that the only safe way to deploy the new
> protocol on the "open" Internet is to use encryption; Firefox and Chrome
> have said that they'll only support HTTP/2 using TLS.
>
> They have two reasons for this. One is that deploying a new version of HTTP
> across the Internet is hard, because a lot of "middleboxes" like proxies
> and firewalls assume that HTTP/1 won't ever change, and they can introduce
> interoperability and even security problems if they try to interpret a
> HTTP/2 connection.
>
> The other is that the Web is an increasingly dangerous place, and using
> more encryption is one way to mitigate a number of threats. By using HTTP/2
> as a carrot for sites to use TLS, they're hoping that the overall security
> of the Web will improve.
>
>
Security will not be improved with "trusted proxies" that is for sure. But it seems such ideas are making their way into the protocol while being pushed by the monarch.
More information about the cryptography
mailing list