On 2015-12-08, Michael McConville <mm...@mykolab.com> wrote: > Jason Barbier wrote: >> szs wrote: >> > Not for security. >> > For privacy. >> >> It is a read only site, the privacy you seek is breached as soon as >> you make a DNS call to openbsd.org > > There are still some privacy benefits to using HTTPS. It will confound a > lot of simple filtering and monitoring software
For current TLS versions it is absolutely trivial to identify which site you're connecting to, it's in cleartext in the clienthello, there's no need to even spoof the TLS connection for this. (Easy to log in squid. Anyone want to send a patch for dsniff? ;-) (Doing something about this for TLS 1.3 gets discussed from time to time on the IETF TLS mailing list, the latest iteration being https://www.ietf.org/mail-archive/web/tls/current/msg18633.html) > and what you're reading on the site is pretty obfuscated. Not as much as it would be if you checked out the www tree from CVS :-) > It also helps security on sketchy networks. > > HTTPS isn't a perfect solution, but it's something. Especially when ISPs > are starting to inject beacons into HTTP requests and more closely > observe usage. > > That said, I suspect none of the sysadmins have the time or interest, > and that's understandable. I don't think this is a "time or interest" thing. I haven't seen any proposed viable solutions for the problems that have been mentioned when this has come up on the lists in the past. The technically-cleanest way I can think of would be to publish a name-constrained private root and sign from there, but the only place we could sanely distribute that root is cert.pem which doesn't work nicely for !OpenBSD or for gui browsers on OpenBSD, and while that would have some uses, the list questions will then change to "why don't you use a publically recognized root", so I don't really consider that viable either.
