[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cryptography] IPsec DH parameters, other flaws

On Tue, 17 Nov 2020, Christian Huitema wrote:

Really? Facebook and Ali-Baba are already sending a bunch of their
traffic over Quic, so it is not just Google. In fact, a sizeable
fraction of the Internet traffic runs over Quic already. Most browsers
already support Quic -- Chromium of course, but also Mozilla and Safari.
There are implemention of Quic on server platforms like Apache, NGinx,
or Litespeed, on VPNs like Akamai, Fastly or Cloudflare, and I am
missing a few. (see:

But none of this benefits the user. It benefits the Advertisement Gods.
It gives _them_ more miliseconds to auction our privacy with targeted
ads while not delaying the user more so they lose interest in the web

Quic is really an encrypted transport, solving

It's really solving that we never got IPsec hooks into the application
and we couldn't trust the OS enough. A lack of signaling we are
connecting securely. And that is due to governments who didn't want
us to change the default mode of the internet to encrypted with IPsec
in IPv6 because then they couldn't monitor their citizens^Wenemies. So
now the enterprises work around this government restriction fallout. But
doing a crypto handshake for each flow is too expensive, so QUIC kinda
merges these into one. It's basically IPsecInTLSinUDP.

Proving again that the enemy is (all of) us.

The cryptography mailing list
cryptography AT metzdowd.com