Re: [perpass] perens-perpass-appropriate-response-01
Nicholas Weaver <nweaver@icsi.berkeley.edu> Fri, 06 December 2013 19:31 UTC
Return-Path: <nweaver@icsi.berkeley.edu>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9B561AE053 for <perpass@ietfa.amsl.com>; Fri, 6 Dec 2013 11:31:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.302
X-Spam-Level:
X-Spam-Status: No, score=-1.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_14=0.6, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JU3Y6NJ0YZYg for <perpass@ietfa.amsl.com>; Fri, 6 Dec 2013 11:31:28 -0800 (PST)
Received: from rock.ICSI.Berkeley.EDU (rock.ICSI.Berkeley.EDU [192.150.186.19]) by ietfa.amsl.com (Postfix) with ESMTP id A8BC81AD84D for <perpass@ietf.org>; Fri, 6 Dec 2013 11:31:28 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1]) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id E791B2C400B; Fri, 6 Dec 2013 11:31:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at ICSI.Berkeley.EDU
Received: from rock.ICSI.Berkeley.EDU ([127.0.0.1]) by localhost (maihub.ICSI.Berkeley.EDU [127.0.0.1]) (amavisd-new, port 10024) with LMTP id HkwzqsTbDIMN; Fri, 6 Dec 2013 11:31:24 -0800 (PST)
Received: from [192.168.0.4] (nweaver-monitored-ap.icir.org [192.150.187.133]) (Authenticated sender: nweaver) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 4CE6A2C4004; Fri, 6 Dec 2013 11:31:24 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_1DEFFF13-372B-4D1D-B00F-F034F52100A9"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Nicholas Weaver <nweaver@icsi.berkeley.edu>
In-Reply-To: <52A2235A.2030801@perens.com>
Date: Fri, 06 Dec 2013 11:31:23 -0800
Message-Id: <ADD6858C-7548-479E-BB71-316E9C52F812@icsi.berkeley.edu>
References: <E2DA1477-C86E-441E-A33D-D47A0D67AFF3@iab.org> <EF9BD1E4-6EF3-4035-AC4E-1A2D3CADE615@mnot.net> <529E8494.7000806@perens.com> <20131204111309.GB11727@nic.fr> <529F61D8.6030105@perens.com> <20131204171207.GC19914@thunk.org> <529F63C0.3040804@perens.com> <529F88AC.3090904@appelbaum.net> <529F90A0.8000706@perens.com> <529F9205.30906@appelbaum.net> <529F98C0.9090808@perens.com> <529F9F14.8050805@appelbaum.net> <529FB61A.7090604@perens.com> <529FBEF9.7030205@appelbaum.net> <529FC347.3080806@perens.com> <52A15835.2070901@cis-india.org> <52A21B80.8070005@mykolab.com> <52A21D1C.8020000@perens.com> <BC888A6F-F048-4BA6-92F4-8812753F8534@icsi.berkeley.edu> <52A2235A.2030801@perens.com>
To: Bruce Perens <bruce@perens.com>
X-Mailer: Apple Mail (2.1510)
Cc: perpass@ietf.org, Nicholas Weaver <nweaver@icsi.berkeley.edu>
Subject: Re: [perpass] perens-perpass-appropriate-response-01
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Dec 2013 19:31:29 -0000
On Dec 6, 2013, at 11:19 AM, Bruce Perens <bruce@perens.com> wrote: > On 12/06/2013 10:58 AM, Nicholas Weaver wrote: >> Include a checkbox in the browser saying "Fuck it all, show my data to the world" which broadcasts the session key in the clear. > I know you intended this to be sarcastic, but opting out of the concealment society does not mean that the user doesn't have the sense to conceal things when it is actually necessary, vs. when it is in their honest opinion an off-the-scale response to the problem. > > Punishing them by revealing their credit card numbers is not an appropriate response to their wanting to load static images, javascripts, and CSS in the clear. Then make the checkbox "Fuck it all, show my data to the world IF THE SERVER CONSENTS", and have the leakage require both the server and client. I'm not kidding here. Cleartext without data integrity is a outright risk on the current and future Internet. I don't care about surveillance. (Well, I do, but...). What I care about is attack surface for exploitation, an attack surface that is enormous, easy to use, and hey, the US government said "Game on!", and where everyone else can say "It wasn't me. And hey, even if it was, you started it, sauce pour l'oie..." Especially for "javascripts and CSS" which you seem so happy to pass in the clear: You let an attacker see a SINGLE ONE of your cleartext JavaScript or CSS fetches and you are FUBAR. Game over, you're p0wned, have a nice day. -- Nicholas Weaver it is a tale, told by an idiot, nweaver@icsi.berkeley.edu full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
- [perpass] perens-perpass-appropriate-response-01 Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… JOSEFSSON Erik
- Re: [perpass] perens-perpass-appropriate-response… Martin Millnert
- Re: [perpass] perens-perpass-appropriate-response… Stephane Bortzmeyer
- Re: [perpass] perens-perpass-appropriate-response… Hannes Tschofenig
- Re: [perpass] perens-perpass-appropriate-response… Yoav Nir
- Re: [perpass] perens-perpass-appropriate-response… S Moonesamy
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Theodore Ts'o
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Nicholas Weaver
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Nicholas Weaver
- Re: [perpass] perens-perpass-appropriate-response… Brian E Carpenter
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Martin Thomson
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- Re: [perpass] perens-perpass-appropriate-response… Nicholas Weaver
- Re: [perpass] perens-perpass-appropriate-response… Andreas Kuckartz
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Brian E Carpenter
- Re: [perpass] perens-perpass-appropriate-response… Ted Lemon
- Re: [perpass] perens-perpass-appropriate-response… l.wood
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- Re: [perpass] perens-perpass-appropriate-response… Phillip Hallam-Baker
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Ted Lemon
- Re: [perpass] perens-perpass-appropriate-response… Ted Lemon
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- Re: [perpass] perens-perpass-appropriate-response… Ted Lemon
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Ted Lemon
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- Re: [perpass] perens-perpass-appropriate-response… Stephane Bortzmeyer
- Re: [perpass] perens-perpass-appropriate-response… Joseph Lorenzo Hall
- Re: [perpass] perens-perpass-appropriate-response… Eliot Lear
- Re: [perpass] perens-perpass-appropriate-response… Pranesh Prakash
- Re: [perpass] Fwd: Re: perens-perpass-appropriate… Phillip Hallam-Baker
- Re: [perpass] perens-perpass-appropriate-response… SM
- Re: [perpass] perens-perpass-appropriate-response… Andreas Kuckartz
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- [perpass] Egal wie man diskutiert (was: perens-pe… SM
- Re: [perpass] perens-perpass-appropriate-response… Paul Ferguson
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Nicholas Weaver
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Nicholas Weaver
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Nicholas Weaver
- Re: [perpass] Fwd: Re: perens-perpass-appropriate… Phillip Hallam-Baker
- Re: [perpass] perens-perpass-appropriate-response… Andreas Kuckartz
- Re: [perpass] perens-perpass-appropriate-response… Ralf Skyper Kaiser
- Re: [perpass] perens-perpass-appropriate-response… Bjoern Hoehrmann
- Re: [perpass] perens-perpass-appropriate-response… John Wroclawski
- [perpass] Using the abusrd isn't a compelling arg… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- Re: [perpass] perens-perpass-appropriate-response… Jacob Appelbaum
- Re: [perpass] perens-perpass-appropriate-response… Stephen Farrell
- Re: [perpass] perens-perpass-appropriate-response… Nicholas Weaver
- Re: [perpass] Egal wie man diskutiert Hannes Tschofenig
- [perpass] Fwd: Re: perens-perpass-appropriate-res… Bruce Perens
- [perpass] Fwd: Re: perens-perpass-appropriate-res… Bruce Perens
- Re: [perpass] Fwd: Re: perens-perpass-appropriate… Christian Huitema
- Re: [perpass] Fwd: Re: perens-perpass-appropriate… Nicholas Weaver
- Re: [perpass] Egal wie man diskutiert Phillip Hallam-Baker
- Re: [perpass] Egal wie man diskutiert Kent_Landfield
- Re: [perpass] Egal wie man diskutiert Phillip Hallam-Baker
- Re: [perpass] perens-perpass-appropriate-response… Robin Wilton
- Re: [perpass] perens-perpass-appropriate-response… Robin Wilton
- Re: [perpass] Fwd: Re: perens-perpass-appropriate… Stephen Farrell
- Re: [perpass] Fwd: Re: perens-perpass-appropriate… Hannes Tschofenig
- Re: [perpass] perens-perpass-appropriate-response… Albert Lunde
- Re: [perpass] perens-perpass-appropriate-response… Robin Wilton
- Re: [perpass] Fwd: Re: perens-perpass-appropriate… Stephen Kent
- Re: [perpass] Fwd: Re: perens-perpass-appropriate… Stephen Kent
- Re: [perpass] perens-perpass-appropriate-response… Dave Crocker
- Re: [perpass] perens-perpass-appropriate-response… Richard Barnes
- Re: [perpass] perens-perpass-appropriate-response… Dave Crocker
- Re: [perpass] perens-perpass-appropriate-response… Bruce Perens