W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Some reasons why mandating use ofSSL for HTTP is a really bad idea

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 18 Jul 2012 18:09:13 +0200
Cc: Mike Belshe <mike@belshe.com>, grahame@healthintersections.com.au, "Adrien W. de Croy" <adrien@qbik.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <B06B4935-620D-4432-9281-0BC0F0F205D4@bblfish.net>
To: Zhong Yu <zhong.j.yu@gmail.com>

On 18 Jul 2012, at 18:03, Zhong Yu wrote:

> If TLS is mandated, yet NULL cipher is acceptable, what was the point
> of mandating TLS in the first place?

You get the security that the information was not corrupted along the way.
The User experience really needs to make that visible, but that's not a problem
with TLS.


> 
> On Tue, Jul 17, 2012 at 11:24 PM, Mike Belshe <mike@belshe.com> wrote:
>> 
>> 
>> On Tue, Jul 17, 2012 at 9:20 PM, Grahame Grieve <grahame@kestral.com.au>
>> wrote:
>>> 
>> Naw - this is not a big deal.  For instance, a server can send a NULL cipher
>> to the client.  In normal modes, browsers will reject the NULL cipher and
>> not negotiate it.  however, you can use command line flags to allow it.
>> 
>> We do this all the time.  Another example is for turning on
>> same-origin-policy.  Browsers often have debugging modes for turning it off.
>> You have to run the browser in a special, techie, opt-in way to do it, but
>> it is there.
>> 
>> I used these all the time when developing in Chrome.
>> 
>> Mike
>> 
>> 
>>> 
>>> 
>>> Grahame
>> 
>> 
> 

Social Web Architect
http://bblfish.net/
Received on Wednesday, 18 July 2012 16:09:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 18 July 2012 16:09:57 GMT