W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Some reasons why mandating use ofSSL for HTTP is a really bad idea

From: Mike Belshe <mike@belshe.com>
Date: Tue, 17 Jul 2012 21:43:57 -0700
Message-ID: <CABaLYCuoVqN5=i6wrup=HU0Rwur9SaOHR6KJO3-F58BAOv6m+A@mail.gmail.com>
To: Grahame Grieve <grahame@healthintersections.com.au>
Cc: "Adrien W. de Croy" <adrien@qbik.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Tue, Jul 17, 2012 at 9:32 PM, Grahame Grieve <
grahame@healthintersections.com.au> wrote:

> so, the client and the server SHALL use encryption, except when they
> choose not to?
>

No, they shall use TLS.  TLS may negotiate a null cipher if both endpoints
agree to it.

Mike




>
> Grahame
>
>
> On Wed, Jul 18, 2012 at 2:24 PM, Mike Belshe <mike@belshe.com> wrote:
> >
> >
> > On Tue, Jul 17, 2012 at 9:20 PM, Grahame Grieve <grahame@kestral.com.au>
> > wrote:
> >>
> >> > Can you enumerate these?  For debugging, of course it makes sense for
> >> > endpoints to have unencrypted modes.
> >>
> >> oh? but it was going to be mandatory. Except when it's not? which is it?
> >> If it's mandatory by policy, but not technically actually required,
> >> then... well..
> >> I think I know how that will turn out.
> >
> >
> > Naw - this is not a big deal.  For instance, a server can send a NULL
> cipher
> > to the client.  In normal modes, browsers will reject the NULL cipher and
> > not negotiate it.  however, you can use command line flags to allow it.
> >
> > We do this all the time.  Another example is for turning on
> > same-origin-policy.  Browsers often have debugging modes for turning it
> off.
> > You have to run the browser in a special, techie, opt-in way to do it,
> but
> > it is there.
> >
> > I used these all the time when developing in Chrome.
> >
> > Mike
> >
> >
> >>
> >>
> >> Grahame
> >
> >
>
>
>
> --
> -----
> http://www.healthintersections.com.au /
> grahame@healthintersections.com.au / +61 411 867 065
>
Received on Wednesday, 18 July 2012 04:44:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 18 July 2012 04:44:26 GMT