brent timothy saner via plug on 10 Aug 2020 13:14:21 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] news


On 8/10/20 3:58 PM, Michael Lazin via plug wrote:
> I think the interesting point about the HTTP smuggling article that you
> reference is it still works.  Google rankings are negatively impacted if
> you don't have an SSL certificate, and we have plugins like HTTPS
> everywhere, which force HTTPS on the client-side, and yet still HTTP
> persists despite it not being secure.  There was a time when purchasing
> a certificate was cost-prohibitive, but many web hosts now include a
> cert with hosting and there are free SSL cert providers.  I think this
> is a sign that providers should start forcing https connections on the
> server-side.  I know this is controversial because you want the maximum
> amount of people to view your website, and you don't want to lock out
> people with old hardware/software. Still, maybe it would be wise for the
> Internet community to start doing this for security reasons and not just
> google rankings. 
> 
> Michael Lazin
> 
> to gar auto estin noein te kai ennai

"Encrypt everything all the time" is generally not a good stance to take.

Encrypt things that should be, like sensitive data? Absolutely. But
unquestioned enforced encryption is a generally bad idea because
encryption requires trust, which leads to either needing to verify every
single site or trusting a central authority. Which can then be a single
point of failure, technologically or politically.

You don't need to encrypt a website that's purely informational, for
instance, unless it contains that sensitive data. It can of course help
with *ensuring integrity* of that data, but it's generally not without
its complications and a whole new can of worms.

This proposal also complicates (needlessly, in many cases)
reverse-proxying and load balancing, it breaks numerous "upper"
protocols that rely on HTTP as a transport (but don't account for TLS
tunnelling), it breaks XSD validation, it complicates (if not breaks)
NATted LAN HTTP communication, and makes packet tracing/packet dumps
utterly useless for debugging. Just to name a few off the top of my head.

A good example of this is the DoH hype. Now Comcast, with its arguably
quite questionable decisions regarding business ethics, is doing this:
https://twitter.com/TheRegister/status/1276321762276491264

See also:
* https://www.wired.com/story/dns-over-https-encrypted-web/
*
https://www.theregister.co.uk/2018/10/23/paul_vixie_slaps_doh_as_dns_privacy_feature_becomes_a_standard/
*
https://hackaday.com/2019/10/21/dns-over-https-is-the-wrong-partial-solution/
* https://www.yeettheayys.cf/?p=80
** https://www.yeettheayys.cf/?p=96

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug