On 30/07/2014 11:59 a.m., Alex Rousskov wrote: > On 07/27/2014 04:49 PM, Jason Haar wrote: > >> I do wonder where this will end. > > Since one cannot combine interception, inspection, and secure delivery, > this can only end when at least one of those components dies. > > Interception is probably the weak link here because it can be removed(*) > by technological means if enough folks decide it has to go. Inspection > (by trusted intermediaries) and secure delivery (through trusted > intermediaries) will probably stay (with modifications) because their > existence sprouts from the human nature (rather than just lack of > development discipline, will, and resources). > > >> How long before Firefox starts pinning, >> then MSIE, then it gets generalized, etc? > > If applied broadly, pinning in an interception world will clash with > government, corporate, and parental desire to protect "assets". With > todays technology, pinning can only survive on a limited scale IMHO. The > day after tomorrow, if interception dies, replaced by trusted > intermediaries, pinning will not be a problem. > > > Either that, or the entire web content is going to be owned by a few > content providers that would guarantee that their content is safe and > appropriate (hence, does not need to be inspected). This is what Google > claims with its pinning solution today, and I suspect it is not the > responsibility they actually want and enjoy. It is also a false claim. <http://www.thewhir.com/web-hosting-news/aws-supports-41-malware-hosting-sites-web-host-isp> Shared hosting providers are a well known source of malware and viral infection. Google hosted sites are no different even though their https:// service is pinned. They do well enough to only get an "also ran" mention but that is still not clean enough to warrant a bypass of inspection (hundreds or a few thousand infection points make up their their low % rating). Amos
