W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

HTTP without being HTTPS all the time

From: Mike Belshe <mike@belshe.com>
Date: Thu, 19 Jul 2012 10:31:38 -0700
Message-ID: <CABaLYCt9ymU4LXZeOWCU3C5EO7rv126rHnksXZzhmJhYtH3cUQ@mail.gmail.com>
To: httpbis mailing list <ietf-http-wg@w3.org>
On the heels of our discussion about "should TLS be mandatory", comes this
article from Adam Langley.

It's worth a read.

Many on this list have advocated that you don't need to secure everything,
just the login pages (common practice with HTTP today).  Read this article
and then ask yourself if that is really true.

http://www.imperialviolet.org/2012/07/19/hope9talk.html

Mixed modes of sometimes-secure-and-sometimes-not-secure open a slew of
attacks that are only solved if you're all TLS all the time.  If someone
has a better solution, let me know; I don't know of one.

Mike
Received on Thursday, 19 July 2012 17:32:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 19 July 2012 17:32:12 GMT