Re: [IAB] Mandatory encryption as part of HTTP2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Yaakov, you have very nicely summarized the strategy: We need to make attacks more expensive.

Am 15.11.13 14:54, schrieb Yaakov Stein:
That aside, just saying "you MUST do TLS with HTTP/2.0" doesn't buy much security in a world
where CAs are not trustworthy, people still use RC4/MD5, use woefully short keys for
otherwise strong algorithms, browsers have effectively trained people to always click
"visit anyway" and so on.

I believe that this proposal was in line with Bruce Schneier's suggestion at the plenary.
Do anything to make more work for people trying to listen in to everything on the Internet.

For example, put a key at the top of the content and then encrypt using this key.
This is meaningless from the confidentiality point of view,
but eats up computational resources and energy for someone trying to vacuum up everything.

Even better - when you don't have anything to transmit, send meaningless supposed encrypted packets.
If everyone did this their storage costs would skyrocket.
Even better, send packets with easily broken encryption containing keywords of interest.

Y(J)S






[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]