On Tue, Oct 7, 2008 at 4:36 PM, David Barrett <[EMAIL PROTECTED]> wrote: > 1) The admin of the webserver wants to enable encryption > 2) The user has a browser that supports encryption
Correct. > But both of those conditions are *already* met by HTTPS. Can you > explain the scenario this is intended to cover that isn't already > covered by HTTPS? > Basically, generation 1 of Obfuscated TCP seemed sensible: upgrade the > OS on both the client and server machine (or on both sides of the p2p > connection) and all TCP connections get magically encrypted. I can see > the differentiating value of that. But I don't the differentiation > here, especially given that it doesn't address the P2P case. I'll agree that the probably the value of the system has decreased as the generations progressed. This makes me sad, but I haven't stopped trying. (Although there are advantages to moving out of kernel space however) The aim is to increase the currently tiny amount of encrypted traffic over the Internet. HTTPS has ubiquitous support, and yet it's just not used. There are several reasons why not: * Getting a certificate isn't too hard, but it's still quite a speed bump. They cost and they have to be renewed. Self-signed certs are possible, but I support Firefox in its efforts to discourage them. I don't think we can present to the average user any shades of gray. HTTPS should be the gold standard and everything else should be suspect. * Users just don't type HTTPS most of the time. Yea, you can redirect, but the latency (another 3 RTT) is a real pain. * Hosting sites can't deploy HTTPS for their clients by default, because of the certificate issues. * HTTPS is expensive to serve. Partly that's due to the default configuration of OpenSSL which ends up using astronomically expensive suites like DHE-RSA-AES256-SHA, partly because TLS is aiming higher. I would dearly like the deployment for servers to be easier. That can be done with connection memory, although it suffers from mild privacy concerns (you need to keep a hash of the hostnames that you visit in the browser) and that the first connection isn't secure. The code to do this is already written, just disabled at the moment. In addition to the ObsTCP information in the DNS advert, I also want to support a TLS port so that browsers will transparently use TLS and will accept self signed certs without comment when they do. That may turn out to be more useful since people don't have to patch their servers. Cheers AGL -- Adam Langley [EMAIL PROTECTED] http://www.imperialviolet.org _______________________________________________ p2p-hackers mailing list [email protected] http://lists.zooko.com/mailman/listinfo/p2p-hackers
