W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Some reasons why mandating use ofSSL for HTTP is a really bad idea

From: Zhong Yu <zhong.j.yu@gmail.com>
Date: Wed, 18 Jul 2012 11:21:13 -0500
Message-ID: <CACuKZqFHRLeCvjtWjBT=QfgW21Z2wvK_z_YoSNxmKJyMJO-riQ@mail.gmail.com>
To: Henry Story <henry.story@bblfish.net>
Cc: Mike Belshe <mike@belshe.com>, grahame@healthintersections.com.au, "Adrien W. de Croy" <adrien@qbik.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
That's nice, but I don't think content tempering is a major concern in
this discussion.

On Wed, Jul 18, 2012 at 11:09 AM, Henry Story <henry.story@bblfish.net> wrote:
>
> On 18 Jul 2012, at 18:03, Zhong Yu wrote:
>
>> If TLS is mandated, yet NULL cipher is acceptable, what was the point
>> of mandating TLS in the first place?
>
> You get the security that the information was not corrupted along the way.
> The User experience really needs to make that visible, but that's not a problem
> with TLS.
>
>
>>
>> On Tue, Jul 17, 2012 at 11:24 PM, Mike Belshe <mike@belshe.com> wrote:
>>>
>>>
>>> On Tue, Jul 17, 2012 at 9:20 PM, Grahame Grieve <grahame@kestral.com.au>
>>> wrote:
>>>>
>>> Naw - this is not a big deal.  For instance, a server can send a NULL cipher
>>> to the client.  In normal modes, browsers will reject the NULL cipher and
>>> not negotiate it.  however, you can use command line flags to allow it.
>>>
>>> We do this all the time.  Another example is for turning on
>>> same-origin-policy.  Browsers often have debugging modes for turning it off.
>>> You have to run the browser in a special, techie, opt-in way to do it, but
>>> it is there.
>>>
>>> I used these all the time when developing in Chrome.
>>>
>>> Mike
>>>
>>>
>>>>
>>>>
>>>> Grahame
>>>
>>>
>>
>
> Social Web Architect
> http://bblfish.net/
>
Received on Wednesday, 18 July 2012 16:21:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 18 July 2012 16:21:47 GMT