Hello,
You utilized HTTP as an example on a mailing list concerned with SMTP,
we'll see how that goes below.
On Mon, 10 Jan 2022, Jaroslaw Rafa wrote:
[...]
There are many sites like this, that contain only publicly available
information. No login, no purchases, no personal data collected. What is the
benefit of using HTTTPS in that case? (Except of protecting you from
possible spying, but what will be the value of the data obtained for someone
spying on you, if the data is public already?)
The recent hype towards "all sites must be HTTPS" is in my opinion caused
solely by a wrong assumption that all websites are somehow commerce-related
and collect personal data.
I strongly suspect they want everything encrypted so that there isn't a
"this is sekret infoz" proxy sticker on encrypted communications (speaking
strictly about HTTPS in this case) so real sekret infoz can hide in the
noise; I'm not opposed to this, neither am I zealous. Personally I think a
mix of encrypted and nonencrypted garbage is fine (and write to your
grandmother often).
Let's compare it to the recent hype about DNS over HTTP(S). Ironically
there is an encrypted option that is as easy as putting nginx in front of
a web server to terminate encryption, and that's to put it in front of the
DNS server to do the same thing (DoT): it's clients that have been slow on
the uptake (how long has nginx been doing that?), the only thing that's
been slower is the DNS community itself!
Both DoT / DoH are different ports than "normal" DNS; DoH uses HTTPS (see
where I'm going with this?). There can be little doubt that DoH is indeed
intended to "hide in the noise". However this causes other governance
problems if stolen or surreptitiously obtained information is being
exfiltrated in that it impedes traceability because the encryption happens
at the client and bypasses the network owner's [0] controls (which is the
default since the default utilizes public DoH servers).
Of course, the organization could choose to stand up DoH / DoT and force
its use but that's not the default. Since it's a store-and-forward
protocol, and the network owner runs a mail server, the owner therefore
has the chance to audit the content of email. Unimaginative, indolent
"it's always been this way" thinking would tend to assume this is the
default; but as the internet has become more centralized, is it truly
still the default?
The real issue is control.
--
Fred Morris, internet plumber
--
[0] I can't speak to the legal requirements in different jurisdictions. I
can say that on my network it's my rules, and I pay my upstreams to ship
coded electrons not process the data.
