On 24 July 2014 07:10, Ed Burns (JIRA) <jira-no-reply_at_java.net> wrote:
Ed Burns created SERVLET_SPEC-95:
------------------------------
>
> ------
>
> Summary: Require that TLS is supported
Ed et al,
I'm very much against this. While I don't dispute the premise that
"Pervasive Monitoring Is an Attack", I don't believe that https is a
solution that comes anywhere near close enough to solve that issue.
https does not hide who you are talking to, when you talk to them or even
how much you talk and in what size chunks. So pretty much all of your
meta data is available to those monitoring you. By examining public
websites you visit, the monitor can use size and sequence information to
work out what pages you have visited. Worse yet, because of things like
http://en.wikipedia.org/wiki/CRIME it is often possible for even the
content to be cracked. CRIME came about because compressed data that had
never been considered for security was put over TLS.
TLS is simply insufficient to provide any level of protection from
monitoring and it actually makes things worse to pretend that it does.
Traffic carried by TLS needs to be carefully considered so that it is
protected from CRIME like attacks. The more data sent over TLS that an
attacker can control makes CRIME-like vulnerabilities worse, so forcing non
secure traffic to TLS will reduce the protection available to important
data.
regards
--
Greg Wilkins <gregw_at_intalio.com>
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com advice and support for jetty and cometd.