On Sat, Aug 2, 2014 at 12:03 AM, Joe Touch <[email protected]> wrote: > On 8/1/2014 8:25 PM, Nico Williams wrote: >> On Fri, Aug 01, 2014 at 06:57:10PM -0700, Tony Arcieri wrote: >>> On Fri, Aug 1, 2014 at 5:14 PM, Joe Touch <[email protected]> wrote: >>>> I might have thought so. Except Google did it. >>> >>> Google is a cool story, but in my book it really doesn't count until >>> everyone does it and we have full network encryption... >> >> Right. Big players can impose HTTPS due to the cost to a nation's >> citizens (or ISP's customers) of blocking it. > > A TCP-encrypted solution on port 80 might be blocked for exactly the same > reason. That's a lot of work for no benefit.
You missed the point completely. Big players have been able to get great firewalls to let their encrypted traffic through because blocking it was too painful and MITMing it was a line the firewall was not yet ready to cross. That only works for big players. It doesn't work for every one else because the great firewalls can tell who everyone else is. (There have been some really good stories about great firewalls blocking some big site and then having to relent after a few days. A recent, memorable one involved one great firewall blocking github, which didn't last long at all for... obvious reasons.) Ergo, if they couldn't tell who you were talking to... you might be talking to a big player, and they shouldn't block you, or you might not be, but they can't tell. As long as great firewalls can deep inspect and block the content/destinations they can see, don't like, and can afford to block, the only way around them is to either use those sites that politically they can neither block nor MITM, or reduce the firewalls' ability to discriminate by getting confidentiality protection from DNS itself. Pushing the great firewalls this hard might lead them to play hard ball (e.g., make users install their TAs so they can MITM a lot). Nico -- _______________________________________________ Tcpinc mailing list [email protected] https://www.ietf.org/mailman/listinfo/tcpinc
