| >Here’s what I mean: rather than technology sewing a ski mask onto my head so that nobody can see me online, I’d rather have technology inform me about the nature of the site or network I’m using so I can make the choice of what my posture should be. I want to trust the services I use because they’re respectable and have earned my trust. If everyone is wearing a mask then how can I trust anyone? I’m not super excited about an internet where we trust nobody. This approach might work for the average HN user, but what about your aunt? Is it reasonable for her to know the "nature of the site or network" she's using, or what her "posture should be"? >A concrete example: TLS 1.3. What if I want to trust a 3rd party to help me keep an eye on my traffic at a network level? 1. Are you talking about SNI? AFAIK encrypted SNI requires cooperation from DNS, so if you really wanted to you could disable it at the DNS level. 2. for every user who has some sort of network security appliance that works like you described, there's probably 100 that don't. >Same for browsers. Shouldn’t the browser be asking me which pieces of information and which APIs I want to allow a site to access (with sensible defaults, of course) rather than locking all the useful stuff behind “secure contexts”? my impression from the barcode detection api[1] is that policies like this are "fuck http" rather than "improve security". [1] https://news.ycombinator.com/item?id=30620802 |
Re TLS: I’m referring to the encrypted server cert. It breaks inspection middle-boxes since they can no longer dynamically generate a response certificate on the fly. I’d just like the ability to say “hey I actually run and trust my middleware, TLS please run in proxy mode” even though I also agree with the new TLS behavior as a good default in general.