On 30/07/2014 11:59 a.m., Alex Rousskov wrote:
> On 07/27/2014 04:49 PM, Jason Haar wrote:
>
>> I do wonder where this will end.
>
> Since one cannot combine interception, inspection, and secure delivery,
> this can only end when at least one of those components dies.
>
> Interception is probably the weak link here because it can be removed(*)
> by technological means if enough folks decide it has to go. Inspection
> (by trusted intermediaries) and secure delivery (through trusted
> intermediaries) will probably stay (with modifications) because their
> existence sprouts from the human nature (rather than just lack of
> development discipline, will, and resources).
>
>
>> How long before Firefox starts pinning,
>> then MSIE, then it gets generalized, etc?
>
> If applied broadly, pinning in an interception world will clash with
> government, corporate, and parental desire to protect "assets". With
> todays technology, pinning can only survive on a limited scale IMHO. The
> day after tomorrow, if interception dies, replaced by trusted
> intermediaries, pinning will not be a problem.
>
>
> Either that, or the entire web content is going to be owned by a few
> content providers that would guarantee that their content is safe and
> appropriate (hence, does not need to be inspected). This is what Google
> claims with its pinning solution today, and I suspect it is not the
> responsibility they actually want and enjoy.
It is also a false claim.
<http://www.thewhir.com/web-hosting-news/aws-supports-41-malware-hosting-sites-web-host-isp>
Shared hosting providers are a well known source of malware and viral
infection. Google hosted sites are no different even though their
https:// service is pinned. They do well enough to only get an "also
ran" mention but that is still not clean enough to warrant a bypass of
inspection (hundreds or a few thousand infection points make up their
their low % rating).
Amos
Received on Wed Jul 30 2014 - 04:55:54 MDT
This archive was generated by hypermail 2.2.0 : Wed Jul 30 2014 - 12:00:04 MDT