Nottingham: Internet protocols are changing

Posted Dec 12, 2017 20:40 UTC (Tue) by Wol (subscriber, #4433)
In reply to: Nottingham: Internet protocols are changing by josh
Parent article: Nottingham: Internet protocols are changing

But I DON'T WANT end-to-end encryption (necessarily). I *do* want *an internet that works*!!!

I always used to describe my then ISP (Demon) as an Internet *ACCESS* Provider because that's what they were - "here's an IP address, here's a physical (dial-up) link, off you go!". Everything else (mail, web server, spam filtering, etc etc) was opt-in.

If ISPs provided the physical infrastructure and packet routing AND THAT WAS ALL, then half of today's problems would go away!!! By all means they can provide extra opt-in services, but stop providing "can't opt out" services that break the system!!!

If "end to end" encryption is an opt-in, great. But don't force it on me, just so's you can fix problems that shouldn't exist!!! (Which also puts banks etc - looking after MY money - into a catch-22 :-(

Cheers,
Wol

Nottingham: Internet protocols are changing

Posted Dec 12, 2017 21:04 UTC (Tue) by josh (subscriber, #17465) [Link] (7 responses)

I think we're talking past each other. Yes, ISPs shouldn't try to provide things other than bandwidth to people who don't want anything but bandwidth. That's separate from end-to-end encryption, which among other things *prevents* ISPs from doing such things. Yes, ISPs shouldn't tamper with your insecure traffic, but you also shouldn't have insecure traffic because malicious people do exist. Yes, postal services shouldn't read your postcards, but you should use envelopes.

encryption is a multidimensional spectrum of utilitarian trade-offs

Posted Dec 14, 2017 2:47 UTC (Thu) by Garak (guest, #99377) [Link] (6 responses)

Yes, ISPs shouldn't tamper with your insecure traffic, but you also shouldn't have insecure traffic because malicious people do exist. Yes, postal services shouldn't read your postcards, but you should use envelopes.

Going without envelopes is fine in many situations- opted-in coupon mailings from a restaurant. If envelopes truly had zero cost, sure you'd throw one of those magic ones on even then. But there are costs. Likewise there are costs for encryption. And though there are some popular ubiquitous variants, it is an important part of the ecosystem that there are variants. Some variants are more and less suited to various use-cases and threat models. A common situation would be some kinds of games and entertainment where the utility of shaving latency outweighs the threat models that encryption protects against. And threat models and applications (and thus their specific usage of encryption) evolve over time. It is not good to advise using encryption blindly. People that do probably also haven't given proper consideration to the true contingency trees and cost/benefit full analysis. They probably have bought into an over simplification that "it's encrypted, nothing bad will ever happen". It's way more complex than that.

encryption is a multidimensional spectrum of utilitarian trade-offs

Posted Dec 14, 2017 9:38 UTC (Thu) by josh (subscriber, #17465) [Link] (5 responses)

> It is not good to advise using encryption blindly.

All HTTP should go away in favor of HTTPS. That's not "using encryption blindly", that's a reasonable response to established threat models.

encryption is a multidimensional spectrum of utilitarian trade-offs

Posted Dec 16, 2017 12:47 UTC (Sat) by Wol (subscriber, #4433) [Link] (4 responses)

Except that http(s) is NOT the internet.

What about those of us who don't use the web? Or are you saying that the ONLY port in use should be (80)80?

Plus, at the end of the day YOU are DICTATING to ME what I should use. NOT acceptable!

(I may agree with you - I may think https is better than http - but I might think the exact opposite FOR MY USE CASE!)

Cheers,
Wol

encryption is a multidimensional spectrum of utilitarian trade-offs

Posted Dec 16, 2017 17:31 UTC (Sat) by josh (subscriber, #17465) [Link] (3 responses)

> Except that http(s) is NOT the internet.

I never claimed it was. Please stop making up things I haven't said and then yelling at me about them.

> What about those of us who don't use the web?

I never said anything about non-http protocols. I do think that protocols that don't have end-to-end encryption should be carefully evaluated, and many of them should go away as well, but my previous comment *only* talked about http and https.

> Or are you saying that the ONLY port in use should be (80)80?

I never said that. (And in any case, port 80 is the insecure one, so I certainly wouldn't be saying *that*, for multiple reasons.)

You seem to be attempting to force an angry confrontation, and I'm not interested. If you want to use insecure protocols, you can always find ways to do so; if you control the software on both ends, you can have them communicate by any means you wish. The tools and infrastructure that the majority of people use will continue to steer people towards secure protocols more and more strongly, so that the path of least resistance becomes safer. Security is often a usability problem, and I applaud the many people working to make the defaults both more secure and more usable.

encryption is a multidimensional spectrum of utilitarian trade-offs

Posted Dec 17, 2017 0:49 UTC (Sun) by Wol (subscriber, #4433) [Link] (2 responses)

Sorry, I'm not trying to force a confrontation or anything.

If you actually look, you will see all along that I am merely reacting to other people telling me what I should or should not do. You were telling me I should not be using plain http. Why not? And to be honest I've seen use cases where http is better than https (mostly a large volume of static pages, iirc).

If other people secure their networks with the result that I can't communicate, well, I'll cross that bridge when I come to it. But to give a silly example of "security is a bad thing", would you recommend that everyone keeps their doors locked to keep strangers out? Sounds like a good idea, until you realise that the whole point of a shop is to welcome random strangers ...

(I regularly come across reference to "security theatre" - actions that LOOK like they improve matters, until you actually look carefully and realise that they do very little, or even make matters worse!)

Cheers,
Wol

encryption is a multidimensional spectrum of utilitarian trade-offs

Posted Dec 17, 2017 1:12 UTC (Sun) by pizza (subscriber, #46) [Link]

> would you recommend that everyone keeps their doors locked to keep strangers out? Sounds like a good idea, until you realise that the whole point of a shop is to welcome random strangers ...

.... during "normal business hours". And said doors will be locked during other times.

You picked a rather poor analogy.

encryption is a multidimensional spectrum of utilitarian trade-offs

Posted Dec 17, 2017 3:01 UTC (Sun) by josh (subscriber, #17465) [Link]

> And to be honest I've seen use cases where http is better than https (mostly a large volume of static pages, iirc).

HTTPS is, at this point, down in the noise with respect to computation. You're certainly not going to become CPU-bound serving static pages over HTTPS.

> If other people secure their networks with the result that I can't communicate

What is preventing you from communicating using encryption? You seem to be phrasing your responses as if HTTPS is a non-starter for you.

> (I regularly come across reference to "security theatre" - actions that LOOK like they improve matters, until you actually look carefully and realise that they do very little, or even make matters worse!)

HTTPS is not one of those things, however.

Nottingham: Internet protocols are changing

Posted Dec 13, 2017 1:42 UTC (Wed) by interalia (subscriber, #26615) [Link]

Hi, nice points but just a reminder that you don't have to use exclamation marks in sets of three. They don't get lonely when used one at a time; in fact, they prefer it :)