Re: [hybi] Why not just use ssh?

["Shelby Moore" <shelby@coolpage.com>]

>> I think we need to deliver on HTTP Upgrade.
>
> TLS works over any port.  The point of using TLS alone is to block
> cross-protocol attacks.  If we provide both TLS and non-TLS options,
> the attackers will choose the non-TLS option for their attackers
> whereas the folks who actually want to connect to the server more than
> 60-some percent of the time will use the TLS option.  Offering both is
> a lose-lose.

Nothwithstanding that I think cross-protocol attacks are the fault of the
target protocol, do not forget that browsers can allow users to turn off
or opt in to certain features.

I am reminded of my "don't go chasing shadows" post about security:

http://www.ietf.org/mail-archive/web/http-state/current/msg00939.html

Blaming security holes on the messenger instead of on the actual hole
(injection point), or not hardening behind the firewall is analogous to
hardening a castle more by making the walls ever higher and the doors ever
smaller or more difficult to open.

The end result is starvation.

The most security is to break yourself into million parts and distribute
yourself.

So moving the security farther from the center is the answer.

We don't want to lock ourselves inside with the security holes, we expose
the holes so we can be outside and prosper, and so the holes will get
identified and fixed.

It goes back to "more eyeballs = shallower bugs" (Cathedral and Bazaar
model). It is all about maximizing the # of mutations per evolutionary
generation. Wasn't there a math book that said "thou shall go forth and
multiply"?

Conflation (blaming something for something else, or trying to
implementation one thing by implementing multiple things) is worse than
wasteful, it is actually classified as evil in some ancient math books
(Parable of the Talents).

Motto: one post per day, make it count (love you Willy for teaching me).