> +1 to what seems to be a lot of developers: make TLS mandatory. > >> so, even when used in an internal application protocol, it's going to >> be end to end >> encrypted to make it super hard to debug? > > In an internal application protocol, why would it be "super hard to > debug"? The client can do an HTTP dump before TLS, the server can do > an HTTP dump after TLS; either of the sides could debug the TLS. yep. they can. But they have to. 3rd parties are shut out. I get that in some circumstances this is good. But not all. As an example, I spend quite a bit of my time looking at browser traffic now, to debug why my servers or clients aren't working they way that a 3rd party client/server set up is. Unless it's https, in which case.... I have to find some other way. >> http is about more than users using >> web browsers. > > Completely true, and not relevant. Insecure HTTP for non-browser > applications still has the same bad properties, no? but a much wider deployment context, and much harder to work with GrahameReceived on Wednesday, 18 July 2012 01:00:43 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 18 July 2012 01:00:49 GMT