W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: HTTP without being HTTPS all the time

From: Mike Belshe <mike@belshe.com>
Date: Thu, 19 Jul 2012 14:29:50 -0700
Message-ID: <CABaLYCtpP+FF9WhdURN7NnT1UT1a3gLq9jU2hCdbFphbV6gWLA@mail.gmail.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
Cc: httpbis mailing list <ietf-http-wg@w3.org>
On Thu, Jul 19, 2012 at 12:46 PM, Phillip Hallam-Baker <hallam@gmail.com>wrote:

> Adam is speaking about the use of HTTP in Web browsing. There is no
> question that TLS should always be on for Web browsing.
>

Oh!

I'd be happy with this compromise.

Mike



>
> If you want to write a draft that specifies a set of required security
> standards for secure Web browsing it would be very useful and I would
> support TLS being a requirement for secure Web browsing (among quite a
> few others). Such a standard could be really useful for use in RFPs
> for outsourcing Web hosting and it does not need to be tied to HTTP
> 2.0 at all.
>
>
> What is being discussed here is HTTP and the HTTP world is much larger
> than Web Browsing. In particular there is a whole world of Web
> Services where we use other security layers because those give us the
> security properties we want while TLS does not. In particular there is
> the WS-* stack and JSON encryption and Signature being developed right
> now.
>
>
> I do not want to continue this discussion here because:
>
> 1) The chair has asked us not to
> 2) It is a rat hole
> 3) The people making this proposal don't seem to want to listen when
> it is pointed out that privacy and confidentiality are different
> issues in the security world and that the distinction matters a lot.
>
> On Thu, Jul 19, 2012 at 1:31 PM, Mike Belshe <mike@belshe.com> wrote:
> > On the heels of our discussion about "should TLS be mandatory", comes
> this
> > article from Adam Langley.
> >
> > It's worth a read.
> >
> > Many on this list have advocated that you don't need to secure
> everything,
> > just the login pages (common practice with HTTP today).  Read this
> article
> > and then ask yourself if that is really true.
> >
> > http://www.imperialviolet.org/2012/07/19/hope9talk.html
> >
> > Mixed modes of sometimes-secure-and-sometimes-not-secure open a slew of
> > attacks that are only solved if you're all TLS all the time.  If someone
> has
> > a better solution, let me know; I don't know of one.
> >
> > Mike
> >
>
>
>
> --
> Website: http://hallambaker.com/
>
Received on Thursday, 19 July 2012 21:30:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 19 July 2012 21:30:24 GMT