W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: SPDY = HTTP/2.0 or not ?

From: Roy T. Fielding <fielding@gbiv.com>
Date: Mon, 26 Mar 2012 10:10:03 +0200
Cc: ietf-http-wg@w3.org
Message-Id: <69FDA1F0-CA3F-4DE2-B196-22CCEA8989D2@gbiv.com>
To: patrick mcmanus <pmcmanus@mozilla.com>
On Mar 26, 2012, at 9:44 AM, patrick mcmanus wrote:

> On 3/26/2012 7:56 AM, Poul-Henning Kamp wrote:
>> In message<CAAbTgTu7qbPiREWRRqFddgoko0FCt0jmxR=NP1gqsiARCwscew@mail.gmail.com>
>> , Brian Pane writes:
>>> Nonetheless, I think it would be reasonable for HTTP/2.0 to require SSL.
>> I think you need to talk to some people with big websites ;-)
> Existence proofs: google does all of their logged in user search over SSL, Twitter encourages SSL by default, Facebook is widely used that way. It pretty clearly can be done at scale. Its not free, but its worth it.
> More importantly - no user wants to use an insecure protocol - ever. Web protocol design should serve them first. They have an unmet expectation of privacy and security that we should meet by making the application protocol secure all the time; the mixed- content vulnerabilities of HTTP/1 make that clear to me.

I've never considered SSL to be a means of securing the protocol.
It does a decent job of hiding the exchange of data from passive
observers, but the way that typical user agents handle certificate
management lacks what I would consider a secure protocol.

In any case, the notion that every user wants a secure protocol is
irrelevant.  There are many examples of HTTP use, in practice, for
which SSL/TLS is neither desired nor appropriate.  Even simple things,
like the exchange that Apple devices use to discover network access point
logins, cannot work with an assumption of SSL/TLS.  Likewise, many uses of
HTTP are in kiosks, public schools, libraries, and other areas for which
your concern as a user is less important than the organization's
responsibility to prevent misuse.

There are ways to have both a secure protocol and visibility for
intermediaries, but we don't have to agree to any of these "requirements"
up front.  If the protocol proposals can't stand for themselves, then
I have no need for a new protocol.

Received on Monday, 26 March 2012 08:10:31 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:01 UTC