Re: Proposed Statement on "HTTPS everywhere for the IETF"

Ted Lemon <Ted.Lemon@nominum.com> Tue, 02 June 2015 12:48 UTC

Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D4D21B2DCB for <ietf@ietfa.amsl.com>; Tue, 2 Jun 2015 05:48:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nxgJ2reJxb-T for <ietf@ietfa.amsl.com>; Tue, 2 Jun 2015 05:48:09 -0700 (PDT)
Received: from sjc1-mx02-inside.nominum.com (sjc1-mx02-inside.nominum.com [64.89.234.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EEC91B2DC6 for <ietf@ietf.org>; Tue, 2 Jun 2015 05:48:09 -0700 (PDT)
Received: from webmail.nominum.com (cas-04.win.nominum.com [64.89.235.67]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certificate Authority - G2" (verified OK)) by sjc1-mx02-inside.nominum.com (Postfix) with ESMTPS id 01DECDA007D; Tue, 2 Jun 2015 12:48:09 +0000 (UTC)
Received: from [10.0.20.160] (71.233.43.215) by CAS-04.WIN.NOMINUM.COM (192.168.1.101) with Microsoft SMTP Server (TLS) id 14.3.224.2; Tue, 2 Jun 2015 05:48:08 -0700
References: <20150601164359.29999.35343.idtracker@ietfa.amsl.com> <3383C786-8549-4356-99A4-75786B3CCD83@mnot.net> <249FA10E-1BFA-4DB4-A42F-8D3B74866F97@piuha.net> <DB4PR06MB457BF6355CD4CB064AF1FCCADB50@DB4PR06MB457.eurprd06.prod.outlook.com>
MIME-Version: 1.0 (1.0)
In-Reply-To: <DB4PR06MB457BF6355CD4CB064AF1FCCADB50@DB4PR06MB457.eurprd06.prod.outlook.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-ID: <7252B87F-8ADE-425A-831A-D8006E66B415@nominum.com>
X-Mailer: iPad Mail (12F69)
From: Ted Lemon <Ted.Lemon@nominum.com>
Subject: Re: Proposed Statement on "HTTPS everywhere for the IETF"
Date: Tue, 2 Jun 2015 08:48:07 -0400
To: "<l.wood@surrey.ac.uk>" <l.wood@surrey.ac.uk>
X-Originating-IP: [71.233.43.215]
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/htyn0SL05gL1PYDS-edvhz6YHAc>
Cc: "<mnot@mnot.net>" <mnot@mnot.net>, "<ietf@ietf.org>" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2015 12:48:13 -0000

On Jun 2, 2015, at 8:00 AM, <l.wood@surrey.ac.uk> <l.wood@surrey.ac.uk> wrote:
> see TimBL's "don't break the web" request to keep the uris the same, regardless of method of access

With hsts, Sir Tim's broken url objection goes away, I think. The idea of doing http and having a certificate appear as a UI indication that the document was downloaded securely is bad design. It's too easy to fake, and users typically don't understand anyway. The goal should be to make it secure, not to tell the users it is secure.