[aklug] Re: TLS over http: Has anyone looked at this with any interest?

From: Christopher Howard <ch.howard@zoho.com>
Date: Fri Apr 03 2015 - 21:22:14 AKDT

On Fri, 03 Apr 2015 12:24:36 -0800
Mike <alaskabarsalou@gmail.com> wrote:

>
> The subject might misrepresent how this really works.
>
> What are your thoughts?
>
> http://arstechnica.com/security/2015/04/new-firefox-version-says-might-as-well-to-encrypting-all-web-traffic/
>
>
> Mike B.
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>

Since the post was published on April 1, I had to spend about an hour
to verify everything!

A more accurate subject would be "New Firefox Version Says 'Accept
Unauthenticated Encryption On the Web Whenever It Is Available and
Whenever HTTPS Is Not Available". It makes opportunistic encryption
available, i.e., if an HTTP (non-encrypted) resource is requested, the
server and browser can negotiate a non-authenticated TLS session.

I guess it is kind of like meeting a secret agent at a bar, and then
agreeing to talk with him in a secret code made up on the spot. This
is an improvement, because at least some random guy walking into the
bar can't listen in to the conversation. But you don't really know if
the other guy is who he claims to be. (He might have killed they guy
you were really supposed to meet.)

I imagine that, if OE became a standard part of an automatic apache
install, then a pretty large percentage of the internet would get
coverted to opportunistic encryption after a while, which sounds like
a good thing to me. But presumably the big media providers won't be
quick to enable it: If, for example, the abcnews Web site does not
currently think user privacy and security is important enough to
provide https, why would they provide unauthenticated encryption?
Unauthenticated encryption will still dramatically increase their
server load. 

-- 
Christopher Howard
Biblical creationism: http://tinyurl.com/qfyeg4a
Software freedom: http://tinyurl.com/qjnpnsm
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Apr 3 21:22:38 2015

This archive was generated by hypermail 2.1.8 : Fri Apr 03 2015 - 21:22:38 AKDT