tag:blogger.com,1999:blog-2425290326823263574.post4672889063789468971..comments2022-12-04T18:48:06.405-08:00Comments on Krazy Glew's Blog: https vs http - why not signed but not encrypted https?Andy "Krazy" Glewhttp://www.blogger.com/profile/08442494949914217568noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-2425290326823263574.post-49751201597482963932015-09-30T22:21:06.717-07:002015-09-30T22:21:06.717-07:00A bit late, but there are some misconceptions in t...A bit late, but there are some misconceptions in this post that shift the tradeoff around - in enough directions that I'm not sure what the final location of the point is :P<br /><br />1.) The big reason to push pervasive encryption (not just HTTPS, but DNScrypt, SMTP over TLS, IMAP over TLS, etc.) is not just "Prevent MITM"<br /><br />1.1.) The difference between "private" and "secret" is a fuzzy one, but both need encryption rather than just authenticity - and passive-taps suffice against auth-only; with the NSA's avowed tendency towards slurping EVERYTHING, this is a notable thing.<br /><br />1.2.) The server and the client may disagree on what is and is not private.<br /><br />1.3.) Existing protocols are _really_ bad about providing credential-equivalent information "in the clear" (see Firesheep); auth-only does nothing here.<br /><br />2.) TLS does not necessarily inhibit caching<br /><br />2.1.) CDNs can be located near the end-user, and use TLS on a shorter hop. The vast majority of content by bandwidth is essentially static (videos, etc), and CDN-as-a-service is an ancient business.<br /><br />3.) Authentication-only does _not_ require public-key operations on each message<br /><br />3.1.) You do the the asymmetric handshake as normal, then use a MAC (Message Authentication Code, can be built out of any secure hash using HMAC) to authenticate each message. This is fast - approximately the same speed as a raw hash, plus a small constant factor.<br /><br />4.) Using authentication-only modes may _not_ improve cacheability<br /><br />4.1.) The HTTP response over the wire often contains headers that are variant with client, even if the actual data is invariant. In such a case, the MAC of the individual messages would vary, and cannot be used across multiple messages.<br /><br />4.2.) As a result, you'd need to do the authentication at a higher level - within each protocol such as HTTP - to do it separately on the headers and the bodies. This is a fraught endeavor.<br /><br /><br />Overall, I _think_ this moves the balance mostly towards "The costs outweigh the benefits", but it's certainly not black and white. It's also certainly not simple to just _try_ it and see, sadly.Alex Elsayedhttps://www.blogger.com/profile/04965021603241785796noreply@blogger.com