Re: [PLUG] news

Thomas Delrue via plug on 10 Aug 2020 14:09:27 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] news

From: Thomas Delrue via plug <plug@lists.phillylinux.org>
To: brent timothy saner <brent.saner@gmail.com>, plug@lists.phillylinux.org
Subject: Re: [PLUG] news
Date: Mon, 10 Aug 2020 17:09:17 -0400
Autocrypt: addr=thomas@epistulae.net; keydata= mQINBFQrBeABEADIkVVpfDofaun8Eu8kbRLmfBsOSeba95PjJNJoDfzrLkxFpDgPsOkYZNxd T+tkHi4WaHsi7BeyRbhcspa5fDpObfMWWeNqnA7s1YcqewUa/HWIN0f1SuHlHLLt8UqblJSC hx5Z9ZZh6nw26+SwiTmXm43uEHQ6CJpyuDpGN2jSnPBkCD2aSIVdWfFhr/S3dOV3DtRYs4Rb mq/zTt3oaOZQRBzJzYft/7D954wM7Oz9A8riik+5GonBwdnkIipv6bpgReehbI6+MeAJMm5d CyXTZxw6DjwQtRri5kAECdWy3dISsVdQEtgScDXx6UIu6GiNrhBZfjCmN1GG0fqcf8FjPtL6 c0HfjUSUgmIEu/anUOWY4WtU0XuR4VdxPalbbt4qRAjNdgkE8kSmjZry9zR99MnZ1/5eiwx6 2soEh2PM6QF41oDxQ1NcbxVibuYcx4oLfDuMP6ap6uJt3tjeXJJlsz3Od53ieksIqM8q19PQ 8X7s5Nnj8zdQ7PlLEhvvK2TswaA6YOiIgG3P20UdW+/dltCxNCRAJM3HDb8PIaByIESqx3JN +qvQtyNsudEtpgqszX8OegLV21lEU+dulMZ9QohlUM4QvEL/Qz/hZdbZCzc9uS59uSTBMXF6 suv9BIetH5u8oC0EIUmGfSOYY8hoirFidU1JpcykBuJb8yU7wwARAQABtCRUaG9tYXMgRGVs cnVlIDx0aG9tYXNAZXBpc3R1bGFlLm5ldD6JAlUEEwEIAD8CGyMGCwkIBwMCBhUIAgkKCwQW AgMBAh4BAheAFiEEkkly7LxJWOW2CZNfE0IBm3dbeNkFAl0uIm0FCRJpHg0ACgkQE0IBm3db eNmnrRAAvWrkdB1ogVO/pvbnpXWWKaP1mhNSZifujXQSKZ2KgQbiiC6yYL3PO1TGTYDyWYHR 8s3lhH0iD1O4q146rWCdm+7C3UUiAuRLQ2MHy2wYLg50zDuSOmw6eshdEVPd9YW6nlqLmP1/ Mi8UZIis40n8ka5GIjHD0/b1HBgpRmhE4IukyrwyzjzqNfSe7e2ofprRf8AZ5nrq2ugr12pz F5vsM1Og0fkvfLveyVa02h9Qv5Bf3QHAoGeKZs76iTXTgxF3KiFk5r6CW9EQnf64MzTfxSK8 uLltSKq8r0I62AL11wTjABt6zUcM2JNhFvuGgYP8ANyrFB2gTM2BPD1vCTZOrw2pc3gX3s4v Y5hMpLW8mP3GJi509+YTVXih92YFe+YE1JYMsEek09M1ukMBBve0iJcJFOjssPXLR++TWTZn 652smpkiBj4tE8yyi4BUMjzFcY80MiNw7BlA3V3ud+jxORpRrGhpMeVND4Zv4CfgEvHMOubN euNMQXrfsoMVPkoysQC6b06gN6HQEArw+K9QQ4CFzO0NvP7eu0cCFjCiUUWirAXjpxPpkQ+x Skse4IhbQ/rPecR3SawUydRDXpCf8h+1RtZewccVbaDQd7u5T4uwOi9A9zihD4WhnwEd9eCE UD3v4R0PcAsqdKtIOpa963s/kxO+Ivwy+1Nmz9MnoiS5Ag0EVCsF4AEQAMkQkGewvQ3OaF0H 8K0xYnRK2QxUXd5UOTKhOsa686paI8lZozHrI3Zix4jUwyzBSiZ5tKhQeH6iDIHyMeUgKYcF yDhXEahiNuumd+TSBNYKZ4+wlO58+Ep0pGGu5epfNNshDaumDIeMtLjxKpcacE/RS9uBHa+4 uw1UaMko5qlgIXEbYSN3B75AMmmj3Do7XPs91b+hrWnLIHNfD+5NaqwRBr3fYa8TihGV2Qqf 7Mt5b577JNebNF5itf6jHfUSyAos/g4yPeGB255t4RFUrWF/E62J4NjK28gpqs0rJS8ILD6E t0Hw5JNK9lgM+KxwAycTjja56LNidaYcz4S/C70WMMq67v26KscVUQ3VSh5xNAjpODmOvB8d dUnlpRxS+KpNefj85iQPMzIM856MqaEAgazEPZ1oCihZ/bl5ylXaRx5rwB44ziw/lSQjCkQL EsJwskIdkUbkgDuqBChSU+j2dx5NDzJLTUO+Wu9GGkPy7HHRwgQn+3wf2MsunCk7i1JenWfd O01K+4C0isd0OLhstaemQIqaPROKGvw2VReAtGeyilgHlzBfPXaZhNKAk1PHo8IkRK161Zr4 5sr5kHK0V3HRXnQ63QdCeRVIJRgz43919idUSrNMmUcRtZFWhVbew2dYImvkJRx6hu/hzZoK u8sgG4vszNfmVj28R7mnABEBAAGJAjwEGAEIACYCGwwWIQSSSXLsvElY5bYJk18TQgGbd1t4 2QUCXS4iwgUJEmkeYgAKCRATQgGbd1t42b4pD/9UJI+Q2r9oQ410g3S1cQe2xnN44C2xsZ0d jtJNdLB216fnPbhXl30GPYMZZIrtXoH98bMfJtY/I1Z9x208Xzpfsx80GDLwsDRLtRwb0cJI I6M5m9tV6531Oxv8Q6c7LJHcUqIbmaNYkp60OVftmPCG0cldqdaWIVzUdSDv+wHD5cMFKtdg /LEqW/Ray7JCWYAmz0pcyzhw8wfn0ZJAOM+NHkkgtOgK6jUvMsdF1OnTX92/5MFciqd0nri9 xw17LI6b/siYs8uZXibYKsMux6Tyd41SqEMTmIcY/+bQajyMmTmVhoKeRvrQwUqphZcSM2ws g27mRFXlPeivMsUOgw7Q5+jIRpsvcf9IB8zKQGtfg/0hx2rA4po5DB9MouKydzVS6VZjjU6H R7bUi3We44nmH9rpHer3Xrtmf9dWuw5VciMMpz4JtJ1jp+leFLu7m1M4O+8kVQfifMgeOtS7 g7jyVygDx2m0UDESvHtC7ELJ57WDa7o8+iL6tA16VMTUD4ilncftL/e4SJvWqNOZNEsKLixU zRGksYboYKY8UXEUTV2QQEEjVW+2C9ZZBWmJSqjB1yvHCDtQOydNDHAJyateRzzFRJyDCGE6 4lJfRq0ShN5KeatOIz3Zg+r4caA6Kk6KjVxZL+9ev3YQmlU01DebtdPKZLY1ZuwK2SuVy1yL XQ==
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=g001.emailsrvr.com; s=20190322-9u7zjiwi; t=1597093761; bh=pIoWap+g1KkIXB3e34K9xCE4UEEaXjUIaWifRaq61jE=; h=To:From:Subject:Date:From; b=cQZAjeAeQrs18cTQB5xGr4tUsogijCql1+FQuYbJRpKb5rTlFD5IhPG3v+mKuCTa5 yn+QuSSWNL7pV1LYXb5rXnJp8z+HvSUo4ubpSUOCKLfSWQzwVjMzdFPJnIMb3GKI4N JCejdGFB5LFy28HFcNmHFtiUuMPLO6MA0yKRxqaA=
Reply-to: Thomas Delrue <thomas@epistulae.net>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0

I respectfully disagree...
Note: the 'you' is the proverbial 'you', not you individually.

On 8/10/20 4:14 PM, brent timothy saner via plug wrote:
> On 8/10/20 3:58 PM, Michael Lazin via plug wrote:
>> I think the interesting point about the HTTP smuggling article that you
>> reference is it still works.  Google rankings are negatively impacted if
>> you don't have an SSL certificate, and we have plugins like HTTPS
>> everywhere, which force HTTPS on the client-side, and yet still HTTP
>> persists despite it not being secure.  There was a time when purchasing
>> a certificate was cost-prohibitive, but many web hosts now include a
>> cert with hosting and there are free SSL cert providers.  I think this
>> is a sign that providers should start forcing https connections on the
>> server-side.  I know this is controversial because you want the maximum
>> amount of people to view your website, and you don't want to lock out
>> people with old hardware/software. Still, maybe it would be wise for the
>> Internet community to start doing this for security reasons and not just
>> google rankings. 
>>
>> Michael Lazin
>>
>> to gar auto estin noein te kai ennai
> 
> "Encrypt everything all the time" is generally not a good stance to take.

I take issue with this and am of the opposite opinion: I think
everything should be encrypted by default.

> Encrypt things that should be, like sensitive data? Absolutely. But
> unquestioned enforced encryption is a generally bad idea because
> encryption requires trust, which leads to either needing to verify every
> single site or trusting a central authority. Which can then be a single
> point of failure, technologically or politically.

So does not-encryption. In fact, that requires more trust, it requires
trust with everyone in the entire universe, trust that they won't abuse
the information they glean from looking over my shoulder.
Sure, my trust might be misplaced, but even if it is, the compromising
is limited in my encrypted communications with you. That misuse of trust
can be compartmentalized.

Note that I'm not talking about HTTPS and the problems around the certs,
just about the premise that "only sensitive things need encryption".

The thing is, I don't have any business looking at your comms, and you
don't have any business looking at mine. With encryption being so
'cheap', why wouldn't I encrypt it? Why wouldn't I put something in
place to make your life just a little shittier if you want to pry into
my comms?

> You don't need to encrypt a website that's purely informational, for

Of course I do. Because you (as non-party in the conversation between me
and the purely informational site) have no business looking at what I'm
talking about with that server. That server might even be hosting
multiple different sites, and in that case, using ESNI, you don't even
know which site on that server I'm talking to. Because you have no
business knowing that.

What is 'informational' to you, is deviant to another, and the decision
is not yours to make when it comes to what /I/ find 'sensitive' and what
I don't.
What is innocent today, may be illegal tomorrow.

On top of this all, when you encrypt it all, you're making it harder for
anyone to target everyone... just think about that for a while.

> instance, unless it contains that sensitive data. It can of course help
> with *ensuring integrity* of that data, but it's generally not without
> its complications and a whole new can of worms.
> 
> This proposal also complicates (needlessly, in many cases)
> reverse-proxying and load balancing, it breaks numerous "upper"
> protocols that rely on HTTP as a transport (but don't account for TLS
> tunnelling), it breaks XSD validation, it complicates (if not breaks)
> NATted LAN HTTP communication, and makes packet tracing/packet dumps
> utterly useless for debugging. Just to name a few off the top of my head.
> 
> A good example of this is the DoH hype. Now Comcast, with its arguably
> quite questionable decisions regarding business ethics, is doing this:

Don't get me started on DoH... I'm not a fan to say the least.

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] news
  - From: brent timothy saner via plug <plug@lists.phillylinux.org>

References:
- [PLUG] news
  - From: jeff via plug <plug@lists.phillylinux.org>
- Re: [PLUG] news
  - From: Michael Lazin via plug <plug@lists.phillylinux.org>
- Re: [PLUG] news
  - From: brent timothy saner via plug <plug@lists.phillylinux.org>

Prev by Date: Re: [PLUG] news
Next by Date: Re: [PLUG] news
Previous by thread: Re: [PLUG] news
Next by thread: Re: [PLUG] news
Index(es):
- Date
- Thread