Obfuscated TCP Revisited
Welcome back!
I recently did a post, Google’s Obfuscated TCP that's actual proof that if you don't do at least a little research when posting on technical subjects, you can end up looking like a techi-toddler-wannabe still very much in baby clothes instead of the informed, helpful person you're trying to be.
Since writing that, I've discovered that for all intents and purposes, Obfuscated TCP is dead, buried and rotting in it's digital grave. The cause of death was it's rejection by the IETF. There is apparently still some hope that, like the Time Lords, it could regenerate and appear in another form, there isn't a lot of hope for that at this time.
It's also been pointed out that there is already a way to do what Obuscated TCP wanted to do. Specifically you could have a middle ground, a method less secure than ssl but not needing quite the maintenance. Something that's mainly intended to make life difficult for casual snoops. The Self-signed certificate.
The problem with this is the way current browsers handle things
SSL with certificate signed by a trusted certificate authority. This gets a security symbol in the browser (usually a padlock).
Plain HTTP, no ssl at all. No security symbol shown.
For SSL with a self-signed certificate, display the security symbol but also make sure to add a big hairy notice that scares the diapers off of the uninformed.
A better way to handle security notices would be something like this
SSL with certificate signed by a trusted certificate authority, show security symbol.
SSL with self-signed certificate, either don't show security or perhaps show outline of security padlock
Plain HTTP, no ssl at all. No security symbol shown.
This would give the benefits that Obfuscated TCP is going for and save users from the big hairy scary notice that they get hit with now.
Technorati Tags: privacy, web privacy, snooping, secure sockets layer, ssl, obfuscated tcp, encryption
Just copy this code and paste it on your site where you want the link to appear:
