On Thu, 7 Jun 2018 23:19:22 -0500 "J.B. Nicholson" <j...@forestfield.org> wrote:
> George wrote: > > Why can't we have both? I mean the software is in the public domain > > there is nothing to hide so what's the point of encrypting the site? > > ISPs and other intermediaries alter website traffic between the > server and the client. The purpose of their alterations is > irrelevant, you should get the data the server is trying to send you. > You can never be sure if what you're getting is what the server tried > to send you if you're getting that data over HTTP instead of HTTPS. > > Also, spying on the connection is trivial when data is exchanged in > the clear. Other parties really don't need to know what you're > requesting from or sending to a website. > > The software's lack of copyright really doesn't enter into any of > this. _______________________________________________ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users Hi guys, You have all raised interesting points and when I send my opinion/email I did it in a way not to provoke more discussion but simply request that HTTP remains a valid and available choice. For a discussion on why unencrypted traffic is still important check a presentation done by Poul-Henning Kamp some time ago. The core of it as I remember it is that some content is better left unencrypted for those who deliver it, need to cache it and for the viewer. Heck even for the planet i.e. less energy consumed.. on encrypted commercial CDN cookies etc. making sure their data is good. On the security aspect of computing i.e. addressing the HTTP over SSL (HTTPS) I would say that running a broken Intel CPU with firmware bugs on an operating system full of issues (Windows, Mac OS X, Linux, BSD take your pick...) and using a protocol (TCP,HTTP) with a number of side channel and other attacks which is why there is a short list of cyphers for browsers and renegotiating issues abound in HTTPS and WIFI protocols. I don't feel safer running HTTPS everywhere as Google wants with a trust store full of certificates for companies, governments and corporations I have never personally met or even trust by name nor can I if I so desire disable when I want to. Or at least be given a prompt trust or not to accept the certificates I only need (I tried disabling all certs on my Android phone which made it useless i.e. it had no network connectivity .... wat ... etc.) If you look at your network traffic for any major website you will notice that well more than half of what is coming from CDN's blasting commercial content and collecting any data they can all powered by Google analytics and such. So more than half of my internet bill is for that. What SSL does is to make it very hard for someone at home to put a proxy and filter the junk that I am forced to pay for whether I like it or not. I wish to ensure that my kid's Internet browsing is not full of questionable content but I have too jump carefully designed hoops by people working full time making sure I am out of luck. The end result being less privacy and less security as everyone is jumping the SSL termination band wagon and basically doing the MIT that SSL was designed to avoid .... how ironic, hilarious and ridiculous this all is.. Sorry for the rant just wanted to say: ... I am fine and would still like simple plain HTTP ... if someone changes the files and the checksum over the wire I can get the code and recompile, but they could possibly change the code in transit or hack the SQLite server and do it on the disk it is served from ... or run an ISP that does that in transit or ... and etc. etc.. As someone who has not verified the millions of lines of code in SQLite I trust the project is taking measure to ensure there stuff does not get tampered with, the best way they can, if I remember well that did not work even for the Linux kernel a much larger project. Efforts to improve security are well advised but 100% security is very expensive and close to impossible to achieve as all of what we are exchanging and using is human made ... and we are alas quite far from infallible. Best regards, George _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
