W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Some reasons why mandating use ofSSL for HTTP is a really bad idea

From: Zhong Yu <zhong.j.yu@gmail.com>
Date: Wed, 18 Jul 2012 11:03:32 -0500
Message-ID: <CACuKZqHek-_n6fA91TKhuQLXcJqAs7GsaKyseQLYxnqaz6ziow@mail.gmail.com>
To: Mike Belshe <mike@belshe.com>
Cc: grahame@healthintersections.com.au, "Adrien W. de Croy" <adrien@qbik.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
If TLS is mandated, yet NULL cipher is acceptable, what was the point
of mandating TLS in the first place?

On Tue, Jul 17, 2012 at 11:24 PM, Mike Belshe <mike@belshe.com> wrote:
>
>
> On Tue, Jul 17, 2012 at 9:20 PM, Grahame Grieve <grahame@kestral.com.au>
> wrote:
>>
> Naw - this is not a big deal.  For instance, a server can send a NULL cipher
> to the client.  In normal modes, browsers will reject the NULL cipher and
> not negotiate it.  however, you can use command line flags to allow it.
>
> We do this all the time.  Another example is for turning on
> same-origin-policy.  Browsers often have debugging modes for turning it off.
> You have to run the browser in a special, techie, opt-in way to do it, but
> it is there.
>
> I used these all the time when developing in Chrome.
>
> Mike
>
>
>>
>>
>> Grahame
>
>
Received on Wednesday, 18 July 2012 16:04:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 18 July 2012 16:04:09 GMT