W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 2000

Re: draft-ietf-tls-http-upgrade reissued

From: Julien Pierre <jpierre@netscape.com>
Date: Thu, 04 May 2000 14:28:47 -0700
Message-ID: <3911EB8F.24B140B2@netscape.com>
To: Scott Lawrence <lawrence@agranat.com>
CC: IETF HTTP List <http-wg@hplb.hpl.hp.com>, Rohit Khare <rohit@ics.uci.edu>

Scott Lawrence wrote:

> Rohit covered the ground pretty well, and all the points you raise
> were discussed the first time around in one way or another, but I'll
> reiterate a point or two.
> Users have been trained to believe that an 'https:' scheme means
> 'secure', but what does it really mean?  What it means is 'try this
> connection first on port 443 and negotiate (via the TLS/SSL
> handshake) a set of security services'.  Key to this is
> 'negotiate' - the resulting connection could negotiate a set of
> services using any of several cipher suites, including easily
> breakable or null encryption.

Agreed. However, one can disable the null & easily breakable cipher
suites in their client, and therefore be sure that when https URLs are
submitted, the connection is secure. The NULL encryption is by default
disabled in mainstream browsers.

>  If there is a need for labelling of content
> with security attributes, then that need is best met in the content
> itself, and the 'single bit' of appending an 's' to the scheme name
> is grossly insufficient.

I agree that it would be better to get more security information in the
content links than just that one "s" bit.

However, the complete lack of even that one bit to determine the
security attribute, which is what you propose by using regular http
URLs, is not merely grossly insufficient, but completely unacceptable.

I understand that you are trying to keep some level of compatibility
with existing clients, and at the same time trying to unify the ports
for secure/non-secure servers, and allowing secure virtual servers. I
believe however that none of the problems are solved adequately :

- existing HTTP clients will compromise security when connected to the
new servers, because they will not be able to negotiate the TLS ugrade
- existing HTTPS clients will not even connect to the new servers,
because the server will be expecting an initial non-secure connection
followed by an upgrade

This shows that it's not a practical solution for saving TCP ports at
this time. It requires an entirely new generation of servers and
clients, and even then there is still doubt about how the upgrade to TLS
is enforced, as mentioned in previous e-mails.

for a good time, try kill -9 -1

Received on Thursday, 4 May 2000 22:30:08 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:24 UTC