Re: Let's talk about HTTPS Everywhere

To: debian-user@lists.debian.org
Subject: Re: Let's talk about HTTPS Everywhere
From: Camaleón <noelamac@gmail.com>
Date: Wed, 19 Jan 2011 14:47:11 +0000 (UTC)
Message-id: <[🔎] pan.2011.01.19.14.47.03@gmail.com>
References: <[🔎] 518009.96732.qm@web121410.mail.ne1.yahoo.com> <[🔎] pan.2011.01.19.12.57.46@gmail.com> <[🔎] 20110119131758.GF3084@sherohman.org>

On Wed, 19 Jan 2011 07:17:58 -0600, Dave Sherohman wrote:

> On Wed, Jan 19, 2011 at 12:57:48PM +0000, Camaleón wrote:
>> On Wed, 19 Jan 2011 03:29:15 -0800, S Mathias wrote:
>> > 3) Can someone trust this Add-on? Is it safe to install/use?
>> 
>> I don't like/trust anoymous (even encrypted) proxy sites.
> 
> HTTPS Everywhere is not a proxy site, encrypted, anonymous, or
> otherwise.  It causes your browser to request that the sites you visit
> use HTTPS rather than cleartext HTTP when communicating (directly) with
> you.  Nothing more, nothing less.

Maybe I read it wrong. In the EFF page says the addon has been developed 
by Tor (I guess you already know what is this) and the EFF.

>> > 4) If it's so great why isn't it more prevalent?
>> 
>> - SSL traffic is heavy and slow
> ...
>> My opinion is that I don't want to encrypt all the traffic, at least
>> not with the slow DSL connections/hosts we have now (loading a single
>> page will take seconds).
> 
> I don't know where you get this idea.  SSL traffic is no different on
> the wire than any other data traffic.  There is a cost in processing
> overhead for running the encryption algorithms on the client and on the
> server, but it does not incur any additional bandwidth requirements and,
> with modern hardware, the additional processing cost is negligible.

And that "cost" translates into slow page loading that is even worse if 
your connection is not as good as it should.

 >> - There no need (normally) for encrypting public navigation (see the
>> note below)
> ...
>> I prefer to leave the SSL/TLS for sensitive data (logins, etc...).
> 
> When dealing with sites which use session cookies, "public navigation"
> *is* "sensitive data", as every request sent will include the cookie(s)
> which identify you and an attacker who gains access to that data would
> be able to use those cookies to impersonate you for the lifetime of that
> session, as demonstrated by the recent uproar over FireSheep.

Data stored in cookies is not what I understand for "sensitive". What 
kind of information do you think are cookies managing?

Greetings,

-- 
Camaleón

Reply to:

Follow-Ups:
- Re: Let's talk about HTTPS Everywhere
  - From: Dave Sherohman <dave@sherohman.org>

References:
- Let's talk about HTTPS Everywhere
  - From: S Mathias <smathias1972@yahoo.com>
- Re: Let's talk about HTTPS Everywhere
  - From: Camaleón <noelamac@gmail.com>
- Re: Let's talk about HTTPS Everywhere
  - From: Dave Sherohman <dave@sherohman.org>

Prev by Date: building a desktop that will be supported by Lenny
Next by Date: squeeze ssd
Previous by thread: Re: Let's talk about HTTPS Everywhere
Next by thread: Re: Let's talk about HTTPS Everywhere
Index(es):
- Date
- Thread