Re: Making TLS/SSL optional

Show/hide message thread

Making TLS/SSL optional Lassi Kortela (23 Aug 2022 07:44 UTC)

Re: Making TLS/SSL optional Vasilij Schneidermann (23 Aug 2022 10:40 UTC)

Re: Making TLS/SSL optional Lassi Kortela (23 Aug 2022 16:51 UTC)

Re: Making TLS/SSL optional Arthur A. Gleckler (23 Aug 2022 17:12 UTC)

Re: Making TLS/SSL optional Lassi Kortela (23 Aug 2022 17:37 UTC)

Re: Making TLS/SSL optional Arthur A. Gleckler (23 Aug 2022 17:44 UTC)

Re: Making TLS/SSL optional Vasilij Schneidermann (24 Aug 2022 19:38 UTC)

Re: Making TLS/SSL optional Arthur A. Gleckler (23 Aug 2022 14:22 UTC)

Re: Making TLS/SSL optional Magnus Ahltorp (24 Aug 2022 16:57 UTC)

Re: Making TLS/SSL optional Lassi Kortela 23 Aug 2022 17:37 UTC

> Defense in depth is still a good idea, especially when the cost for
> this particular form of protection has been drive close to zero.
>
> Leaving anything on the internet completely unprotected is just asking
> for trouble.

"Defense in depth" sounds like one of the buzzwords that discourage
people from developing a realistic threat model.

Recall how RMS said that people are not supposed to notice the most
prominent security threat is from the vendors themselves.

I'm not arguing we turn off TLS (after all it's a standard), just stop
the forced redirects from HTTP to HTTPS. The point of the extended
discussion in this thread is not to do something for scheme.org but to
develop one's thought process - it's good not to take industry gospel at
face value.