W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: HTTP without being HTTPS all the time

From: Willy Tarreau <w@1wt.eu>
Date: Thu, 19 Jul 2012 20:49:24 +0200
To: Mike Belshe <mike@belshe.com>
Cc: httpbis mailing list <ietf-http-wg@w3.org>
Message-ID: <20120719184924.GM16208@1wt.eu>
Hi Mike,

On Thu, Jul 19, 2012 at 10:31:38AM -0700, Mike Belshe wrote:
> On the heels of our discussion about "should TLS be mandatory", comes this
> article from Adam Langley.
> 
> It's worth a read.
> 
> Many on this list have advocated that you don't need to secure everything,
> just the login pages (common practice with HTTP today).  Read this article
> and then ask yourself if that is really true.
> 
> http://www.imperialviolet.org/2012/07/19/hope9talk.html
> 
> Mixed modes of sometimes-secure-and-sometimes-not-secure open a slew of
> attacks that are only solved if you're all TLS all the time.  If someone
> has a better solution, let me know; I don't know of one.

Thanks for the link.

As usual, Adam gave a nice description there, and I'm sure many of us are
aware of the issues he describes. I'm among those who consider that having
only some pages of a site secured is dangerous. Either the site is clear or
it's not.

But this is not http vs https, it's orthogonal, in fact it's https only vs
mixed http/https. The article is clearly aimed at https-enabled sites, and
does not mean that all sites need https (it even says the opposite BTW).

Regards,
Willy
Received on Thursday, 19 July 2012 18:49:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 19 July 2012 18:49:57 GMT