[Cryptography] IPsec DH parameters, other flaws
Paul Wouters
paul at cypherpunks.ca
Wed Nov 18 10:36:18 EST 2020
On Tue, 17 Nov 2020, Christian Huitema wrote:
> Really? Facebook and Ali-Baba are already sending a bunch of their
> traffic over Quic, so it is not just Google. In fact, a sizeable
> fraction of the Internet traffic runs over Quic already. Most browsers
> already support Quic -- Chromium of course, but also Mozilla and Safari.
> There are implemention of Quic on server platforms like Apache, NGinx,
> or Litespeed, on VPNs like Akamai, Fastly or Cloudflare, and I am
> missing a few. (see:
> https://github.com/quicwg/base-drafts/wiki/Implementations).
But none of this benefits the user. It benefits the Advertisement Gods.
It gives _them_ more miliseconds to auction our privacy with targeted
ads while not delaying the user more so they lose interest in the web
view.
> Quic is really an encrypted transport, solving
It's really solving that we never got IPsec hooks into the application
and we couldn't trust the OS enough. A lack of signaling we are
connecting securely. And that is due to governments who didn't want
us to change the default mode of the internet to encrypted with IPsec
in IPv6 because then they couldn't monitor their citizens^Wenemies. So
now the enterprises work around this government restriction fallout. But
doing a crypto handshake for each flow is too expensive, so QUIC kinda
merges these into one. It's basically IPsecInTLSinUDP.
Proving again that the enemy is (all of) us.
Paul
More information about the cryptography
mailing list