SoylentNews

Pseudo HTTPS Proposed

posted by Dopefish on Monday February 24 2014, @06:00PM   
from the things-could-get-hairy dept.

mrbluze writes:

"A modified HTTP protocol is being proposed (the proposal is funded by AT&T) which would allow ISP's to decrypt and re-encrypt traffic as part of day to day functioning in order to save money on bandwidth through caching. The draft document states:

To distinguish between an HTTP2 connection meant to transport "https" URIs resources and an HTTP2 connection meant to transport "http" URIs resource, the draft proposes to 'register a new value in the Application Layer Protocol negotiation (ALPN) Protocol IDs registry specific to signal the usage of HTTP2 to transport "http" URIs resources: h2clr.

The proposal is being criticized by Lauren Weinstein in that it provides a false sense of security to end users who might believe that their communications are actually secure. Can this provide an ISP with an excuse to block or throttle HTTPS traffic?"

• Re:Plain Text Connections and Caching are Not Evil (Score: 3, Interesting) by maxwell demon on Tuesday February 25 2014, @07:32AM

  by maxwell demon (1608) on Tuesday February 25 2014, @07:32AM (#6458) Journal

  However, those non-encrypted parts should at least be digitally signed, so that you can be sure that the cached version really is the one the server sent, and not some malicious replacement. Of course the corresponding public key should be sent encrypted so you can be sure it has not been messed with.

  --
  The Tao of math: The numbers you can count are not the real numbers.

  Parent

  Starting Score:	1		point
  Moderation		+1
  Interesting=1, Total=1
  Extra 'Interesting' Modifier		0
  Karma-Bonus Modifier		+1
  Total Score:		3