W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Mandatory encryption

From: Paul Hoffman <paul.hoffman@gmail.com>
Date: Tue, 17 Jul 2012 17:51:56 -0700
Message-ID: <CAPik8yYuB1BZVN0YW3Hx9ubRRzd608jd09vVz+FASP=i5iRoZA@mail.gmail.com>
To: grahame@healthintersections.com.au
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
+1 to what seems to be a lot of developers: make TLS mandatory.

>  so, even when used in an internal application protocol, it's going to
>  be end to end
>  encrypted to make it super hard to debug?

In an internal application protocol, why would it be "super hard to
debug"? The client can do an HTTP dump before TLS, the server can do
an HTTP dump after TLS; either of the sides could debug the TLS.

>  http is about more than users using
>  web browsers.

Completely true, and not relevant. Insecure HTTP for non-browser
applications still has the same bad properties, no?
Received on Wednesday, 18 July 2012 00:53:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 18 July 2012 00:53:17 GMT