- From: Mike Belshe <mike@belshe.com>
- Date: Thu, 19 Jul 2012 14:29:50 -0700
- To: Phillip Hallam-Baker <hallam@gmail.com>
- Cc: httpbis mailing list <ietf-http-wg@w3.org>
- Message-ID: <CABaLYCtpP+FF9WhdURN7NnT1UT1a3gLq9jU2hCdbFphbV6gWLA@mail.gmail.com>
On Thu, Jul 19, 2012 at 12:46 PM, Phillip Hallam-Baker <hallam@gmail.com>wrote: > Adam is speaking about the use of HTTP in Web browsing. There is no > question that TLS should always be on for Web browsing. > Oh! I'd be happy with this compromise. Mike > > If you want to write a draft that specifies a set of required security > standards for secure Web browsing it would be very useful and I would > support TLS being a requirement for secure Web browsing (among quite a > few others). Such a standard could be really useful for use in RFPs > for outsourcing Web hosting and it does not need to be tied to HTTP > 2.0 at all. > > > What is being discussed here is HTTP and the HTTP world is much larger > than Web Browsing. In particular there is a whole world of Web > Services where we use other security layers because those give us the > security properties we want while TLS does not. In particular there is > the WS-* stack and JSON encryption and Signature being developed right > now. > > > I do not want to continue this discussion here because: > > 1) The chair has asked us not to > 2) It is a rat hole > 3) The people making this proposal don't seem to want to listen when > it is pointed out that privacy and confidentiality are different > issues in the security world and that the distinction matters a lot. > > On Thu, Jul 19, 2012 at 1:31 PM, Mike Belshe <mike@belshe.com> wrote: > > On the heels of our discussion about "should TLS be mandatory", comes > this > > article from Adam Langley. > > > > It's worth a read. > > > > Many on this list have advocated that you don't need to secure > everything, > > just the login pages (common practice with HTTP today). Read this > article > > and then ask yourself if that is really true. > > > > http://www.imperialviolet.org/2012/07/19/hope9talk.html > > > > Mixed modes of sometimes-secure-and-sometimes-not-secure open a slew of > > attacks that are only solved if you're all TLS all the time. If someone > has > > a better solution, let me know; I don't know of one. > > > > Mike > > > > > > -- > Website: http://hallambaker.com/ >
Received on Thursday, 19 July 2012 21:30:18 UTC