Re: Proposed Statement on "HTTPS everywhere for the IETF"

Ted Lemon <Ted.Lemon@nominum.com> Thu, 04 June 2015 17:34 UTC

Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 329D41A6EE7 for <ietf@ietfa.amsl.com>; Thu, 4 Jun 2015 10:34:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OvW02SIOiECy for <ietf@ietfa.amsl.com>; Thu, 4 Jun 2015 10:34:34 -0700 (PDT)
Received: from sjc1-mx02-inside.nominum.com (sjc1-mx02-inside.nominum.com [64.89.234.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EF561A6EE4 for <ietf@ietf.org>; Thu, 4 Jun 2015 10:34:34 -0700 (PDT)
Received: from webmail.nominum.com (cas-03.win.nominum.com [64.89.235.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certificate Authority - G2" (verified OK)) by sjc1-mx02-inside.nominum.com (Postfix) with ESMTPS id E1797DA0077; Thu, 4 Jun 2015 17:34:33 +0000 (UTC)
Received: from [10.0.20.236] (71.233.43.215) by CAS-03.WIN.NOMINUM.COM (192.168.1.100) with Microsoft SMTP Server (TLS) id 14.3.224.2; Thu, 4 Jun 2015 10:34:33 -0700
References: <20150601164359.29999.35343.idtracker@ietfa.amsl.com> <0ab501d09e37$f4098980$dc1c9c80$@tndh.net> <556F6083.4080801@cs.tcd.ie> <0adf01d09e40$cf957b00$6ec07100$@tndh.net> <556F8339.5030002@cs.tcd.ie> <0b3901d09e73$7dad4740$7907d5c0$@tndh.net> <556FC594.1080900@gmail.com> <E6B6376E-9C27-41D5-94FF-BA98563C7A86@gmail.com>
MIME-Version: 1.0 (1.0)
In-Reply-To: <E6B6376E-9C27-41D5-94FF-BA98563C7A86@gmail.com>
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: quoted-printable
Message-ID: <71A519B0-1CC3-44DC-8E50-57FC9CB1DC6A@nominum.com>
X-Mailer: iPad Mail (12F69)
From: Ted Lemon <Ted.Lemon@nominum.com>
Subject: Re: Proposed Statement on "HTTPS everywhere for the IETF"
Date: Thu, 4 Jun 2015 13:34:31 -0400
To: Yoav Nir <ynir.ietf@gmail.com>
X-Originating-IP: [71.233.43.215]
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/JAAaYTg9b8ab-BevQWcqwbt7-A4>
Cc: "<ietf@ietf.org>" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jun 2015 17:34:35 -0000

On Jun 4, 2015, at 3:06 AM, Yoav Nir <ynir.ietf@gmail.com> wrote:
> The statement (made by Richard Barnes, not by the IESG) that the IETF should lead by example and move to all HTTPS is very political. The proposal prioritizes the concerns of some group (small or large) and levies a burden on the entire community (TLS is not free; finding www.cleartext.ietf.org takes effort). That is a political decision. It’s a small one. I agree with John Klensin that this is something the IESG could (and should) have done on its own without starting a discussion on a proposed statement.

I don't disagree that TLS is not free.   However, a useful measure of the importance of your statement here would be to ask you whether in fact https-by-default would actually be expensive enough to motivate you to change your behavior?   I suspect the answer is no.   Virtually all data that goes over the Internet is encrypted.   Of course most of that is video streams, but think about how much data that is.

Compared to the puny amount of data that you can get by downloading content from the IETF, it's hard to imagine anyone using cleartext.ietf.org for any reason other than that they happen to live in a repressive society, in which case the need to use this feature will be a fairly minor inconvenience compared to the rest of the hassle that they are no doubt dealing with on a daily basis.

So why are we still arguing about this?