[Wikimedia-l] Disinformation regarding perfect forward secrecy for HTTPS

[James Salsman]

George William Herbert wrote:
>...
> It would also not be much more effort or customer impact
> to pad to the next larger 1k size for a random large fraction
> of transmissions.

Padding each transmission with a random number of bytes, up to say 50
or 100, might provide a greater defense against fingerprinting while
saving massive amounts of bandwidth.

>... At some point the ops team would need a security team,
> an IDS team, and a counterintelligence team to watch the
> other teams, and I don't know if the Foundation cares that
> much or would find operating that way to be a more
> comfortable moral and practical stance...

I'm absolutely sure that they do care enough to get it right, but I
think that approach might be overkill. Just one or two cryptology
experts to make the transition to HTTPS, PFS, and whatever padding is
prudent would really help. I also hope that, if there is an effort to
spread disinformation about the value of such techniques, that the
Foundation might consider joining with e.g. the EFF to help fight it.
I think it's likely that a single cryptology consultant would probably
be able to make great progress in both. Getting cryptography right
isn't so much as a time-intensive task as it is sensitive to
experience and training.

Setting up and monitoring with ongoing auditing can often be
automated, but does require the continued attention of at least one
highly skilled expert, and preferably more than one in case the first
one gets hit by a bus.