W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: SPDY = HTTP/2.0 or not ?

From: patrick mcmanus <pmcmanus@mozilla.com>
Date: Mon, 26 Mar 2012 09:44:04 +0200
Message-ID: <4F701E44.6060108@mozilla.com>
To: ietf-http-wg@w3.org
On 3/26/2012 7:56 AM, Poul-Henning Kamp wrote:
> In message<CAAbTgTu7qbPiREWRRqFddgoko0FCt0jmxR=NP1gqsiARCwscew@mail.gmail.com>
> , Brian Pane writes:
>> Nonetheless, I think it would be reasonable for HTTP/2.0 to require SSL.
> I think you need to talk to some people with big websites ;-)
Existence proofs: google does all of their logged in user search over 
SSL, Twitter encourages SSL by default, Facebook is widely used that 
way. It pretty clearly can be done at scale. Its not free, but its worth it.

More importantly - no user wants to use an insecure protocol - ever. Web 
protocol design should serve them first. They have an unmet expectation 
of privacy and security that we should meet by making the application 
protocol secure all the time; the mixed- content vulnerabilities of 
HTTP/1 make that clear to me.
Received on Monday, 26 March 2012 07:44:38 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:01 UTC