Re: [perpass] perens-perpass-appropriate-response-01

Bruce Perens <bruce@perens.com> Fri, 06 December 2013 20:04 UTC

Return-Path: <bruce@perens.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A93CE1AE078 for <perpass@ietfa.amsl.com>; Fri, 6 Dec 2013 12:04:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_14=0.6, RP_MATCHES_RCVD=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iONXL4bkLFO2 for <perpass@ietfa.amsl.com>; Fri, 6 Dec 2013 12:04:53 -0800 (PST)
Received: from alchemy.perens.com (alchemy.perens.com [206.221.219.26]) by ietfa.amsl.com (Postfix) with ESMTP id D79F31AE074 for <perpass@ietf.org>; Fri, 6 Dec 2013 12:04:53 -0800 (PST)
Received: from Bruce-ASUS-Transformer-Prime.home.perens.com (c-50-168-114-183.hsd1.ca.comcast.net [50.168.114.183]) by alchemy.perens.com (Postfix) with ESMTPSA id 5DD31500084; Fri, 6 Dec 2013 12:04:28 -0800 (PST)
User-Agent: K-9 Mail for Android
In-Reply-To: <ADD6858C-7548-479E-BB71-316E9C52F812@icsi.berkeley.edu>
References: <E2DA1477-C86E-441E-A33D-D47A0D67AFF3@iab.org> <EF9BD1E4-6EF3-4035-AC4E-1A2D3CADE615@mnot.net> <529E8494.7000806@perens.com> <20131204111309.GB11727@nic.fr> <529F61D8.6030105@perens.com> <20131204171207.GC19914@thunk.org> <529F63C0.3040804@perens.com> <529F88AC.3090904@appelbaum.net> <529F90A0.8000706@perens.com> <529F9205.30906@appelbaum.net> <529F98C0.9090808@perens.com> <529F9F14.8050805@appelbaum.net> <529FB61A.7090604@perens.com> <529FBEF9.7030205@appelbaum.net> <529FC347.3080806@perens.com> <52A15835.2070901@cis-india.org> <52A21B80.8070005@mykolab.com> <52A21D1C.8020000@perens.com> <BC888A6F-F048-4BA6-92F4-8812753F8534@icsi.berkeley.edu> <52A2235A.2030801@perens.com> <ADD6858C-7548-479E-BB71-316E9C52F812@icsi.berkeley.edu>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----OXZVTWQEJ21YECRN4MGKK762GTXC7Z"
From: Bruce Perens <bruce@perens.com>
Date: Fri, 06 Dec 2013 11:48:44 -0800
To: Nicholas Weaver <nweaver@icsi.berkeley.edu>
Message-ID: <c97f3134-eedf-44e1-880c-147efb172fc6@email.android.com>
Cc: perpass@ietf.org
Subject: Re: [perpass] perens-perpass-appropriate-response-01
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Dec 2013 20:04:54 -0000

On 12/06/2013 11:31 AM, Nicholas Weaver wrote:


Then make the checkbox "Fuck it all, show my data to the world IF THE SERVER CONSENTS", and have the leakage require both the server and client. I'm not kidding here. 

So, first lose the obnoxious part. Then, provide them with a real choice:

1. Use HTTP preferentially except where the server specifies HTTPS. Servers will generally specify HTTPS for credit cards, login screens, and other sensitive data. This is potentially the fastest method, but the least secure.
2. Always use HTTPS preferentially for the body page and URLs from the address bar or bookmarks, but load embedded resources within the page using HTTP unless the server directs otherwise. This is a good compromise for most people.
3. Always use HTTPS preferentially for all requests. This is potentially most secure and slowest.

Then make the default whatever your preference is.

Especially for "javascripts and CSS" which you seem so happy to pass in the clear: You let an attacker see a SINGLE ONE of your cleartext JavaScript or CSS fetches and you are FUBAR. Game over, you're p0wned, have a nice day. 

See your fetches? I understand MITM, etc., but see them?

    Thanks

    Bruce

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.