|
|
|
|
|
|
by adricnet
3892 days ago
|
|
|
The content is available after it is decrypted in a browser on a single host. If the streams are inspectable by network defenses they can be inspected at much more feasible scale allowing one device to protect 10,000s of hosts from the same malware-laden ad. The alternative is to try and deliver protection to 10,000 browsers, and somehow keep them synchronized which is just so much harder and expensive. Or you could make the host operating system, apps, and the browser resistant to exploitation... It's not that encrypting secrets is bad (and sessions are secrets). It's that encrypting everything without looking at what you gain and lose is poor engineering and it all seems to be politicized somehow (camps, factions, dogma..) with HTTPS-only being pushed as the answer to one security problem (confidentiality vs active eavesdroppers) at the expense of existing solutions to other problems, including integrity (please don't compromise my hosts), availability (I cannot use recent browsers to admin my equipment because they ban self-signed certs but trust 100+ CAs) and non-repudiation (where did the malware come from?). ... speaking as someone who studies malware analysis. Cheers,
adric |
|
|