W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: HTTP without being HTTPS all the time

From: Peter Saint-Andre <stpeter@stpeter.im>
Date: Thu, 19 Jul 2012 15:48:42 -0600
Message-ID: <500880BA.5030202@stpeter.im>
To: Mike Belshe <mike@belshe.com>
CC: Phillip Hallam-Baker <hallam@gmail.com>, httpbis mailing list <ietf-http-wg@w3.org>
On 7/19/12 3:29 PM, Mike Belshe wrote:
> 
> 
> On Thu, Jul 19, 2012 at 12:46 PM, Phillip Hallam-Baker <hallam@gmail.com
> <mailto:hallam@gmail.com>> wrote:
> 
>     Adam is speaking about the use of HTTP in Web browsing. There is no
>     question that TLS should always be on for Web browsing.
> 
> 
> Oh!
> 
> I'd be happy with this compromise.

At the protocol level, there is no such thing as web browsing vs. web
services, there's just HTTP. Jeff Hodges likes to talk about web
applications. [1] Sure, you want your banking app to be TLS-protected
with HSTS and so on. For visiting your friend's website of cat pictures,
not so much. They're both "web browsing", but the use cases are totally
different. Why would we treat them the same? And how are they
fundamentally different from web services?

Peter

[1] https://datatracker.ietf.org/doc/draft-hodges-websec-framework-reqs/
Received on Thursday, 19 July 2012 21:49:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 19 July 2012 21:49:16 GMT