W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: SPDY = HTTP/2.0 or not ?

From: patrick mcmanus <pmcmanus@mozilla.com>
Date: Mon, 26 Mar 2012 13:39:15 +0200
Message-ID: <4F705563.50607@mozilla.com>
To: ietf-http-wg@w3.org
On 3/26/2012 12:41 PM, Henry Story wrote:
> Having said that to cater for use cases where security is not an issue, yet
> to make sure that the groups working on SPDY to do not forget security, I think
> having SSL be opt out that is a good idea. It satisfies both use cases, but
> helps make sure the groups communicate more closely than they would otherwise do.

none of this needs to be decided now, of course. But having any path for 
mixed-content (e.g. https html with http scripts or even images) is 
potentially troublesome - we've seen that repeatedly for the last 10 
years. Content owners do not understand the risks they are exposing 
their users to by using insecure protocols. The web would be better 
without that vector.

I know that not every use case is about the web, but it seems at least 
plausible that the best path is to secure everything rather than relying 
on the deployer's judgment which has a bad failure mode.
Received on Monday, 26 March 2012 11:39:47 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:01 UTC