This is the same thinking that gives you the idea of a "golden key" - A backdoor (sorry, "Framework") that weakens people's privacy, but is magically only usable by one government's TLAs, because China immediately asking for a copy of the key "because terrorism" is of course unreasonable and requires a presidential statement to that effect....
Under UK's RIPa, the police are perfectly entitled to connect to any website, then demand the https secret key from any individual in their jurisdiction who has (or can obtain) that key (they need to connect first as they need a data set that is encrypted with the key to justify the demand); that doesn't need a new law or ruling, its an already existing non-judicial warrant route (and has a gag order attached in the NSL style)
As I understand it, many police departments have already set their budgets around estimated "income" from seizures; the loss of that money could impact all the nice toys they pl.. I mean, policing. yeah, that's it.
that this is actually aimed at "pass4sure" type websites, where memorizing the asked questions is a common method to acquire the actual question lists without having to sneak a camera or other recording device into the exam.
they are claiming copyright on the specific questions and answers, rather than the base study material that is supposed to impart the learning to pass the exam - but it does put them in the odd position that remembering what questions you took is a violation of their copyright (rather than, for example, the act of reproducing their exam questions from memory)
And more so; much of the law that the NSA is struggling to get passed is already in force here, and many laws that have passed are simply to work around the EU demands that the UK *stop* doing such things unless they have a law that explicitly permits it...
The UK is often more of a test lab for US policies than a country in its own right.
I don't see this as a good idea. Lets say you have a site that is competing with other similar sites on content; it is purely a provider of info (so no user submissions or logins to worry about) but has lost pagerank to another site that has better content.
To improve your google rankings, you can either: a) add or update content to improve the quality of your site b) buy a worthless https certificate (for $150/year or so)
While I am a strong believer that https should be applied wherever appropriate, I am not sure "everywhere" is appropriate.
It is being made plain that the apparatus of other countries (UK to a great extreme, but also Germany etc, plus the constant accusations against Chinese companies) is just as untrustworthy; fold in some obvious staged "victories" like *one* NSL being withdrawn when Microsoft challenged it (out of the dozens they no doubt get) and statements like Microsoft's declaration recently that they have *never* been even asked to add backdoors to their products (which was later debunked by statements from staff familiar with, for example, Bitlocker) and there is a blatant attempt to wash away the stigmata of being under the US Intel thumb by misdirection and outright lies...
This is a snowball thing. There is now so much money riding on it (particuarly disgorgement of illegally obtained fees) TW can't afford to *not* fight any attempt to invalidate the copyright - and given that, there is no additional cost (to them) of continuing to demand fees;
I suspect also that executives are either fooling themselves that they can somehow just declare HB to be public domain, tell the court the issue is moot (as it is now public domain) and walk away, should they be faced with a lawsuit like this one -or- Have a golden parachute deal where they can walk away with a big payoff and move to another equally abusive copyright maximalist, because after all, its the *company* that did this, not them, right?
Problem is, TLS is largely opportunistic; in the past, when I needed to force a connection to NOT be secure, I have simply hidden the STARTTLS offer in the EHLO response (literally rewrote that packet to read STARTTTT) and the link proceeded without attempting a secure handshake.
In cases where TLS *is* begun, actually checking the poffered certificate is the exception, not the rule - some will actually check expiry or domain name match, almost none will verify the CA chain (so a self-signed is fine) - again, this makes interception easy.
Adding this step does help - it means that attackers need to perform an active attack replacing some or all of the traffic, rather than passively recording - but it isn't much more than a speed bump against a determined attacker with ISP router access.
His original tweet was: "We are considering several scenarios, including potentially supporting a fork under appropriate free license, w/ a fully reproducible build." But later followed up with: "Just for the record, we are not 'forking Truecrypt'. We plan to audit it and perhaps organize (financial) support around such an effort."
Now, there IS a fork in the process of creation over at http://truecrypt.ch/ but as it is in the early stages of the process, and the Audit guys have yet to complete the rest of their study of the app crypto, it would be better to leave this on the back-burner until we know what bugs need to be fixed....