Re: Some reasons why mandating use ofSSL for HTTP is a really bad idea

On Tue, Jul 17, 2012 at 9:32 PM, Grahame Grieve <
grahame@healthintersections.com.au> wrote:

> so, the client and the server SHALL use encryption, except when they
> choose not to?
>

No, they shall use TLS.  TLS may negotiate a null cipher if both endpoints
agree to it.

Mike




>
> Grahame
>
>
> On Wed, Jul 18, 2012 at 2:24 PM, Mike Belshe <mike@belshe.com> wrote:
> >
> >
> > On Tue, Jul 17, 2012 at 9:20 PM, Grahame Grieve <grahame@kestral.com.au>
> > wrote:
> >>
> >> > Can you enumerate these?  For debugging, of course it makes sense for
> >> > endpoints to have unencrypted modes.
> >>
> >> oh? but it was going to be mandatory. Except when it's not? which is it?
> >> If it's mandatory by policy, but not technically actually required,
> >> then... well..
> >> I think I know how that will turn out.
> >
> >
> > Naw - this is not a big deal.  For instance, a server can send a NULL
> cipher
> > to the client.  In normal modes, browsers will reject the NULL cipher and
> > not negotiate it.  however, you can use command line flags to allow it.
> >
> > We do this all the time.  Another example is for turning on
> > same-origin-policy.  Browsers often have debugging modes for turning it
> off.
> > You have to run the browser in a special, techie, opt-in way to do it,
> but
> > it is there.
> >
> > I used these all the time when developing in Chrome.
> >
> > Mike
> >
> >
> >>
> >>
> >> Grahame
> >
> >
>
>
>
> --
> -----
> http://www.healthintersections.com.au /
> grahame@healthintersections.com.au / +61 411 867 065
>

Received on Wednesday, 18 July 2012 04:44:19 UTC