On Wed, Apr 15, 2015 at 9:13 PM, Karl Dubost <kdub...@mozilla.com> wrote:
> As Robert is saying: > > Le 16 avr. 2015 à 00:29, Robert Kaiser <ka...@kairo.at> a écrit : > > I think we need to think very hard about what reasons people have to > still not use TLS and how we can help them to do so. > > Definitely. > The resistance in this thread is NOT about "people against security", but > 1. we want to be able to choose > 2. if we choose safe, we want that choice to be easy to activate. > Please see McManus's argument for why putting all the choice in webmasters' hands is not really the best option for today's web. > # Drifting > > Socially, eavesdropping is part of our daily life. We go to a café, we are > having a discussion and people around you may listen what you are saying. > You read a book in the train, a newspaper and people might see what you are > reading. > > We adjust the type of discussions depending on the context. The café is > too "dangerous", too "privacy invasive" and we decide to go to a safer > environment, sometimes a safer environment is not necessary being hidden > (encryption), but being more public. As I said contexts. > > (Note above my usage of the word safe and not secure) > Of course, in the café, you can evaluate who has access to your communication -- you can look around and see. When you load a web page, your session traverses, on average, four different entities [1], any of whom can subvert your communications. The user has no visibility in to this path, not least because it often can't be predicted in advance. You're in the UK, talking to a server in Lebanon. Does your path traverse France? Possibly! (Probably!) The idea that the user can evaluate the trustworthiness of every ISP between his computer and a web server seems pretty outlandish. Maybe in some limited development or enterprise environments, but certainly not for the general web. # Back to the topic > > It's important for the user to understand the weaknesses and the strength > of the environment so they can make a choice. You could almost imagine that > you do not care to be plain text until a moment where you activate a secure > mode. (change of place in the cafe) > > Also we need to think in terms of P2P communications, not only > broadcaster-consumers (1-to-many). If the Web becomes something which is > harder and harder to start hacking on and communicating with your peers, > then we reinforce the power of big hierarchical structures and we change > the balance that Web brought over the publishing/media industry. We should > always strive for bringing the tools that empower individual people with > their ideas and expressions. > > Security is part of it. But security doesn't necessary equate to safer. > It's just a tool that can be used in some circumstances. > > Do we want to deprecate HTTP? Or do we want to make it more obvious when > the connection is not secure? These are two very different things. > http://i.imgur.com/c7NJRa2.gif --Richard [1] http://bgp.potaroo.net/as6447/ [2] http://www.lemonde.fr/pixels/article/2015/04/16/les-deputes-approuvent-un-systeme-de-surveillance-du-trafic-sur-internet_4616652_4408996.html > > -- > Karl Dubost, Mozilla > http://www.la-grange.net/karl/moz > > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
