Matthew Green · Dec 28, 2021 · 8:44 PM UTC

Matthew Green

Matthew Green @matthew_d_green

28 Dec 2021

I think the term “encrypted” should just mean “end to end encrypted” when it comes to describing online services. I don’t care that you’re using TLS.

100

906

matt blaze · Dec 28, 2021 · 8:48 PM UTC

matt blaze @mattblaze

28 Dec 2021

Agree. Relatedly, the fact that you can say this reflects one of cryptography’s most complete success stories. Third-party passive interception of ‘net traffic has basically disappeared as a practical threat.

133

L. David Baron @dbaron@w3c.social · Dec 28, 2021 · 10:45 PM UTC

L. David Baron @dbaron@w3c.social · Dec 28, 2021 · 10:45 PM UTC

L. David Baron @dbaron@w3c.social @davidbaron

28 Dec 2021

Replying to @mattblaze @matthew_d_green

Yeah, the numbers on transparencyreport.google.co… (about halfway down the page) are pretty good. Reasonable people might disagree over whether that's good enough to count as "basically disappeared".

Dec 28, 2021 · 10:45 PM UTC

matt blaze · Dec 28, 2021 · 10:55 PM UTC

matt blaze @mattblaze

28 Dec 2021

Replying to @davidbaron @matthew_d_green

The amount of (mostly nonsensitive) cleartext doesn't need to be zero. I can't remember the last time I heard of an actual attack involving passive interception of net traffic. Encryption has forced attackers to (more difficult) endpoint attacks.

L. David Baron @dbaron@w3c.social · Dec 29, 2021 · 12:46 AM UTC

L. David Baron @dbaron@w3c.social @davidbaron

29 Dec 2021

A reason to push non-TLS towards zero is that user agents (e.g., browsers) can't distinguish which sites need which combination of authentication, integrity, and confidentiality. Getting it to zero lets software make more meaningful promises to its users.

more replies