Reply to post: Unfortunately, there can be some good reasons for this.

TLS proxies? Nah. Truthfully Less Secure 'n' poxy, say Canadian infosec researchers

ecarlseen

Unfortunately, there can be some good reasons for this.

As someone who occasionally manages such devices, we've run into situations where we needed to offer support for poor-quality encryption in order to enable business to function with outside organizations that are not up to snuff. And before the ZOMG screams for regulatory intervention begin, I would note that nearly all of the organizations we have to make accommodations for are governmental or government-appointed monopolies (exclusive rights to provide services for government agencies). We had one the other week whose Internet-facing web server was still running on Windows 2003. They plan to upgrade eventually, when they get around to it. As far as they're concerned, as long as browsers connect then they give precisely zero fucks (and this in an area where private businesses are tightly regulated due to presumed terrorism risks).

And here's the other thing: while solid encryption is critical for protecting many sorts of information, there are other areas that just aren't important. Ironically, the drive to encrypt everything to the eyeballs seems to be largely driven by Google who then hoovers up so much information about everyone which, in turn, is available to various governments upon request - and, if their Dragonfly project has any meaning, preemptively. Since encrypted transit across the Internet is mainly a protection against spying by nation-states (until non-state criminal organizations are able to tap Internet backbones) the whole thing seems to be immensely overblown.

In my mind a more rational response would be to have the browsers do a better job of indicating the relative strength of encryption on any given site. This should be done in a manner that is continuously obvious to the user as they use the site (frame the window in red or something), but does not require additional action on their part. If a site doesn't have encryption, then indicate it but go no further. Browsing some online brochures is usually not a secret worth protecting. We'll get further with shaming poorly-secured sites than we will with the current trend of giving users so many click-through warnings that they just ignore them all.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022