W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: The TLS hammer and resource integrity

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 28 Mar 2012 12:16:38 +0200
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, ietf-http-wg@w3.org
Message-Id: <40F0DC75-AA42-4CAB-90CE-E7547E25604E@bblfish.net>
To: J Ross Nicoll <jrn@jrn.me.uk>

On 28 Mar 2012, at 10:48, J Ross Nicoll wrote:

> I'd like to add low-power use cases (e.g. sensor networks) to that, as well, where the overhead of TLS is a non-trivial issue both in CPU time and battery power.

yes, that's why I was arguing for allowing TLS to be opt out.

> I maintain that if we try forcing TLS in HTTP 2.0, many people will complain, and then fork their own versions of HTTP 2.0 without TLS. Best case scenario is a single sensible standard that models HTTP without TLS, more likely we'll end up with 2-3 subtly incompatible versions and a huge stack of workarounds to hold the mess together.
> Ross
> On 28/03/2012 08:21, Poul-Henning Kamp wrote:
>> Everything, that is, except performance and choice. There is no way to get around that mandatory TLS is overkill in many high-volume applications, most notably p0rn. If you want to kill HTTP/1.1, you have to make HTTP/2.0 a good idea for the 50% of web traffic consisting of pink bits. Second, there are places where TLS is simply not a good idea, either because other security measures are in place, or because transparency is specifically called for (Think: Flight Recorder). 

Social Web Architect
Received on Wednesday, 28 March 2012 10:17:20 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:01 UTC