
Message Security Layer: A Modern Take on Securing Communication - jedberg
http://techblog.netflix.com/2014/10/message-security-layer-modern-take-on.html
======
tptacek
People should read Ryan Sleevi (of the Chromium security team) and Brian Smith
(of the Mozilla security team) on Twitter for background on what this is, and
why it might not be something to be excited about.

@sleevi_ and @BRIAN____.

~~~
SamReidHughes
You mean @BRIAN_____.

~~~
tptacek
Also I'm wrong about where he works. :)

------
drderidder
This a very interesting development, an OTT* protocol for secure communication
that can sit on top of HTTP. Perhaps this was inevitable given that so much of
the underlying security infrastructure has been compromised. It appears to be
able to function independently of the application layer protocol as well.

[edit] *I originally wrote 'over-the-top protocol', which in the telecom
industry just means "on top of HTTP". Puzzled as to why this got down-voted
until I realized some people probably interpreted it as a negative remark. On
the contrary, I think OTT protocols like this may be a great way to leverage
existing infrastructure while layering on new and potentially better
approaches to security.

------
teacup50
Given Netflix's position on browser DRM, and their references in this post to
"platform integration" and device keys, it sounds like they're trying to
implement HDCP for sockets.

Ugh.

~~~
tptacek
That's pretty much what this is. As I understand it, this predates WebCrypto,
too, and is also the reason that Mozilla will ( _pointlessly, dangerously_ )
deliver WebCrypto code over non-TLS HTTP connections.

------
reedloden
Yet another new crypto protocol... "Yay"

What about when HTTP/2 becomes popular? You'll still have to deal with TLS
then unless you deal with TCP connections directly (and bypass HTTP).

~~~
wmf
Nobody's taking HTTP/1.1 away.

