W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Mandatory encryption

From: Grahame Grieve <grahame@kestral.com.au>
Date: Wed, 18 Jul 2012 11:00:15 +1000
Message-ID: <CAG47hGaHaDsq5zpH5CT96hWYZZ1KatfRfu966eyPf4TyXFJMfA@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@gmail.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
> +1 to what seems to be a lot of developers: make TLS mandatory.
>
>>  so, even when used in an internal application protocol, it's going to
>>  be end to end
>>  encrypted to make it super hard to debug?
>
> In an internal application protocol, why would it be "super hard to
> debug"? The client can do an HTTP dump before TLS, the server can do
> an HTTP dump after TLS; either of the sides could debug the TLS.

yep. they can. But they have to. 3rd parties are shut out. I get that in
some circumstances this is good. But not all. As an example, I spend
quite a bit of my time looking at browser traffic now, to debug why
my servers or clients aren't working they way that a 3rd party
client/server set up is. Unless it's https, in which case.... I have to find
some other way.

>>  http is about more than users using
>>  web browsers.
>
> Completely true, and not relevant. Insecure HTTP for non-browser
> applications still has the same bad properties, no?

but a much wider deployment context, and much harder to work with

Grahame
Received on Wednesday, 18 July 2012 01:00:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 18 July 2012 01:00:49 GMT