On 12/10/2013 12:07 AM, Richard Barnes wrote: > On Mon, Dec 9, 2013 at 6:46 PM, Bjoern Hoehrmann <[email protected]> wrote: > >> * Richard Barnes wrote: >>> I'm thinking of things like these... >> >>> <http://bgr.com/2013/11/20/lg-smart-tv-spying/> >>> >>> ... which do not seem like RFC-able things (so, the latter). Both are >> poor >>> design decisions; the first not applying authentication/authorization, and >>> the second, well, just epically failing. What are you going to do, require >>> someone to set a jumper for DNT? >> >> An LG Smart TV owner in the United Kingdom has shockingly discovered >> that his device is sending unencrypted data over Wi-Fi containing TV >> watching habits, as well as file names from external storage units >> hooked up to the TV to an LG website, even though the TV’s privacy >> settings should have prevented such behavior. >> >> Next device this data will be sent encrypted, with the keys and the >> software secured by the TV's "DRM" system so Smart TV owners will no >> longer be able to find out about such problems. >> > > That actually seems like kind of a compelling rationale for > authentication-only modes (as Bruce suggested) -- so we the network owners > can see what our devices are doing. It's isomorphic to the enterprise > case, but a little more intuitive for we end users.
I disagree. As Bjorn says the device manuf will encrypt next time no doubt irrespective of whatever HTTP does, perhaps using the JS WebCrypto API;-) May as well encrypt the HTTP then since you'll need to spot the badness via traffic analysis yourself! (Only kidding, the always-encrypt-HTTP argument isn't that simple and should be rehashed here:-) But yes, the privacy-unfriendly behaviour of our devices and service providers is a major deal. I don't think that justifies arguments to give up our privacy to everyone in between though. S > > --Richard > > > >> -- >> Björn Höhrmann · mailto:[email protected] · http://bjoern.hoehrmann.de >> Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de >> 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ >> > > > > _______________________________________________ > perpass mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/perpass > _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
