Stories
Slash Boxes
Comments

SoylentNews is people

Pseudo HTTPS Proposed

posted by Dopefish on Monday February 24 2014, @06:00PM   Printer-friendly
from the things-could-get-hairy dept.

mrbluze writes:

"A modified HTTP protocol is being proposed (the proposal is funded by AT&T) which would allow ISP's to decrypt and re-encrypt traffic as part of day to day functioning in order to save money on bandwidth through caching. The draft document states:

To distinguish between an HTTP2 connection meant to transport "https" URIs resources and an HTTP2 connection meant to transport "http" URIs resource, the draft proposes to 'register a new value in the Application Layer Protocol negotiation (ALPN) Protocol IDs registry specific to signal the usage of HTTP2 to transport "http" URIs resources: h2clr.

The proposal is being criticized by Lauren Weinstein in that it provides a false sense of security to end users who might believe that their communications are actually secure. Can this provide an ISP with an excuse to block or throttle HTTPS traffic?"

 
This discussion has been archived. No new comments can be posted.
Pseudo HTTPS Proposed | Log In/Create an Account | Top | 73 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Interesting) by Bruce Perens on Tuesday February 25 2014, @01:18AM

    by Bruce Perens (916) on Tuesday February 25 2014, @01:18AM (#6315) Homepage

    The IETF are on a jihad against plain-text web connections. The next version of HTTP doesn't allow them at all.

    Without plain-text connections, caching won't work. If you operate a web server and aren't a big company, caching is how systems all over the net help you deliver your content as well as a company like Google that can afford thousands of hosts that are geographically close to all users. Caches are in those places where your servers aren't, and help to reduce the net overhead for everyone. Caching helps you compete with the big guys.

    HTTPS really does break caching. We need to have some sort of alternative that makes it work again. It can be this protocol, or it can be something else, but this is the only viable proposal so far.

    It's opt-in for web server operators. It doesn't have to be used for what really needs to be concealed from internet providers. But I can tell you for sure that those icons on top of the page, they don't need to be concealed. They should be cached.

    It's kind of silly to be attempting to engineer more security for the same web where fully half of the population use social networks. If the government wants your information, they will go to the servers.

    Bruce

    Starting Score:    1  point
    Moderation   0  
       Interesting=1, Overrated=1, Total=2
    Extra 'Interesting' Modifier   0  
    Total Score:   1  

  • (Score: 3, Interesting) by maxwell demon on Tuesday February 25 2014, @07:32AM

    by maxwell demon (1608) on Tuesday February 25 2014, @07:32AM (#6458) Journal

    However, those non-encrypted parts should at least be digitally signed, so that you can be sure that the cached version really is the one the server sent, and not some malicious replacement. Of course the corresponding public key should be sent encrypted so you can be sure it has not been messed with.

    --
    The Tao of math: The numbers you can count are not the real numbers.