I just don't want this guy monitoring my Internet.



His government has committed to introducing the bill mentioned above, Bill C-51, into parliament within 100 days. His party has a majority, so he can do whatever he pleases, subject to internal party pressure.

Are we going to be able to redesign HTTPS in less than 100 days? Hell no. BUT we can start a movement to *use* HTTPS to voluntarily encrypt almost Internet traffic using AES, TLS, and CAcert.

We need to start now because if Harper gets away with Bill C-51, other countries will surely follow. It's best to be pre-emptive and encrypt now, rather than later.

We need to work on getting everything encrypted. Then we need to move on to solving the CA problem. Perhaps we could replace SSL/TLS with OpenPGP combined with DNSSEC.

Out of curiosity, what would the drawbacks of replacing SSL/TLS with OpenPGP combined with DNSSEC be?

Everyone would need to install openpgp? lol

Won't IPv6 do a much better job of "getting everything encrypted" than trying to get SSL/TLS/OpenPGP support into every Internet application? I can see why OpenPGP might still be useful for some applications (e.g. email, for which it was designed and which can involve multiple application-layer hops).

As for DNSSEC, that's meant for protection against illegitimate DNS records; it won't do anything to protect your privacy.


Without some form of identity verification, how do you tell the difference between a genuine encryption key and one injected by a MITM?

Deprecate HTTP in favor of HTTPS, is this some kind of weird joke or something? Don't get me wrong, there is a strong need for increased use of encryption when using HTTP, but deprecating the unencrypted use is a waste of resources and somewhat unnecessary. There are a lot of use cases where encryption is downright pointless. There is no need to hide the fact that I'm reading an online newspaper, API documentation, a blog, forums (when I'm not logged in) or similar situations where no sensitive or otherwise protection-worthy information is exchanged. So why encrypt such traffic with HTTPS when:

• you loose the possibility of caching between client and server
• local caching behavior is not the same as for HTTP, i.e. browsers may not cache it on disk because of privacy issues doing so.
• increased use of resources in both clients and especially servers. Having multiple servers serving the same site may require an SSL/TLS-terminator in front of those multiple servers for them to actually have decent performance.
• increase latency, especially when establishing a new connection as you need to do handshakes etc.

There is also a technical issue with HTTPS and name-based virtual hosting, that is it's not actually possible without something called Server Name Indication. SNI is not supported in older browsers. In the Windows-world IE6 don't support this and you need Vista and IE7 (no, IE7 + XP don't work here apparently). All in all, it just doesn't make any sense to fully deprecated HTTP.

That said I don't disagree that there need to be more use of HTTPS. In fact, all sites with login should be somehow forced to use HTTPS, at least for the protected parts of it, as the user is transmitting a password he or she might be, with lack of understanding of security, using elsewhere as well. Logging in via a unencrypted network, such as a open WLAN, and HTTP has already been shown to compromise such people and the places they log into. However, currently this isn't possible since the certificates need to be bought in order for it to work properly. Hopefully CaCert might be a viable solution to resolve this in the future.

We could get netpgp or GnuPG integrated into every web browser and webserver. Even through user-installable add-ons and modules, at first.




-----

Note: We should still use utilities like HTTPS Everywhere as any encryption is better than no encryption. However, we need to look to the future and form a plan to replace TLS/SSL as it is not suitable for universal web encryption.

Summary of this thread: Why is anything on the Internet in cleartext anymore?



Also: http://canadianawareness.org/2011/05...new-bill-c-51/

Why would you need to know if the encryption key is genuine? The only one who needs to know is me. And, naturally, I do know, since I created it.

How do you trust your Linux system when you login to it through SSH?

That's what SSH Host Keys are for

Last time I checked, I didn't have to get my SSH host keys from a host key authority.

So if I want my site to use encryption, why does it matter who I am? It shouldn't. Unless I want it to matter and tell my visitors that it matters. And only in that case should the browser check whether I'm telling the truth. Otherwise, the browser shouldn't even bother displaying any kind of special "trusted connection" info/icon/whatever to the user. I should be able to make my site use encryption without claiming that it can be trusted, or even telling the visitors that the site uses encryption.