(newest first)

  • Kristoffer Bj√∂rk | Tue, 17 Mar 2015 09:05:39 UTC

    There are also "middleboxes" that either inspects traffic or change it (ad and/or javascript injection etc). These do not support http2 yet, so without encrypting http2 you need to wait for all these boxes to update before you can test and/or deploy anything. This is why SCTP and other newer (better?) protocols arent used, a massive amount of broken devices that brakes when you do something else than really old protocols since noone bother to update the software they run.
  • Adam Roach | Sun, 22 Feb 2015 21:06:09 UTC

    "The same browsers, ironically, treat self-signed certificates as if they were mortally dangerous, despite the fact that they offer secrecy at trivial cost."
    You can't evaluate this behavior in a vacuum, though. Using your definitions for privacy and secrecy: these kinds of decisions are coupled with very deliberate actions that provide actual privacy (which provides protection against active and passive attackers) for the same cost as one can achieve secrecy (which only protects against passive attacks). See for the alternative. All other things being equal, the tools "Let's Encrypt" will provide are even easier to use than installing a self-signed cert.
    When faced with the opportunity to deploy good security for the same cost as bad, choosing the good security path seems like a far more rational choice.
  • Greg Wilkins | Fri, 09 Jan 2015 12:57:06 UTC

    @Robert Thille,   actually TLS does not well hide who is using the NYT contact form vs who is reading the NYT front page.    Given just the request/response sizes and their timing and sequense, the NSA can pretty much determine what pages you are reading on the NYT, if you have navigated to the contacts page and if you are sending data.
    TLS everywhere is over promising.   It might help privacy a little bit in a few circumstances, but not a lot in many more.
  • Rich | Thu, 08 Jan 2015 20:25:39 UTC

    Authenticated communications aren't just for privacy. It doesn't matter if the resource I'm downloading is a news article, source code, an executable, or even cat pictures, I want to be certain that what I'm getting is actually what I'm expecting it to be, without any alterations having been made in-transit by third parties. The same is true for the information going in the opposite direction; what I transmit ought to arrive at its destination unaltered by any third parties.
    Is SSL/TLS as currently implemented, with its reliance on trusting known-untrustworthy third parties, fundamentally broken? Absolutely. Even with it as broken as it currently is, it's still better than nothing though.
  • Jack | Thu, 08 Jan 2015 12:37:07 UTC

    "most memorable event of 1989" - WTF!? What about the Berlin wall coming down?
  • malthe | Thu, 08 Jan 2015 07:28:42 UTC

    NYT is a large website and you can engage with it. Why would I not want encryption? Note that NYT can't see my other traffic, but those who tap in on the network can.
  • duane | Thu, 08 Jan 2015 04:15:25 UTC

    "dub dub dub" that wasn't so hard, was it 
    (apparently the comment filter wasn't happy with this being a one line comment, good going boys)
  • Milton | Wed, 07 Jan 2015 23:15:10 UTC

    www is nothing if not international, where it often has fewer sylables. But although I never spoke to a German about it, it seems absolutely hilarious in German. It is pronounced like the word "weh" (sounds like english "vay") which means woe (or injury), invoking an almost biblical "woe woe woe" at the beginning of each url, or, like the Max und Moritz classic German stories describing fairly violent strikes carried out against members the community by Max and Moritz "wehe wehe wehe wenn ich auf das ende sehe".
  • Robert Thille | Wed, 07 Jan 2015 20:43:22 UTC

    Well, if everyone going to the NYT site use https, and almost all of them were reading news, and some of them were using a contact form to reach a reporter to reveal illegal spying by the NSA, it'd be a lot harder for the NSA to catch that than if only the contact form were over https.
    Whether that's worth the cost in CO2 pollution, I don't know...
  • rotek | Wed, 07 Jan 2015 18:09:51 UTC

    Furthermore, HTTP/2.0 does not address one of the primary problems with HTTP, head of line blocking, because it is still TCP based.
    HTTP 2.0 is even more vulnerable to it, because it transmits all the data on the same TCP connection. When even one packet gets lost, the whole communication with the server is blocked. Whereas, in HTTP/1.1, only one of (for example) six parallel TCP connections is blocked in such case.
  • Poul-Henning Kamp | Wed, 07 Jan 2015 16:50:27 UTC

    mancin:  Using self-signed-certs for *secrecy* does not imply any level of *authentication*.  browsers should just accept SSC's and treat them as an unauthenticated HTTP connections (ie: show no padlock).  That would disable NSA's "Total take" and ability to do trivial keyword searches on *all* traffic.
    Nathan:  I guess you're right.
    Innocent: I'm arguing that HTTP/2 is neither fowl nor fish.  When you open a TCP connection to NYT, don't you think NSA can guess you are reading news, even if you use encryption ?  Is encrypting NYTs frontpage then really worth the CO2 polution ?
  • Elijah Lynn | Wed, 07 Jan 2015 15:58:31 UTC

    More discussion over at
  • Innocent Bystander | Wed, 07 Jan 2015 15:40:50 UTC

    You're simultaneously arguing that HTTP 2.0 is too private and not private enough!
    The first step to stop a lot of NSA-style snooping is TLS and TLS everywhere, the EFF has made this abundantly clear. Why do you think it's OK for media companies to disregard privacy, but it's not OK for Google to disregard privacy?
  • Nathan Alden, Sr. | Wed, 07 Jan 2015 14:58:52 UTC

    WWW has three times as many syllables as World Wide Web, FWIW. :)
  • marcin | Wed, 07 Jan 2015 14:32:03 UTC

    Note that unencrypted traffic is possible to alter on the fly (e.g. changing news, adding evil scripts).
    Also self-signed certificates should be banned because they are less safe, anyone can sign any domain.
    I think lots of the arguments in this article are missed.
Leave this field empty

Post a Comment:

(Required - 4,000 character limit - HTML syntax is not allowed and will be removed)