W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2013

Re: HTTPS, proxying, and all that...

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Fri, 11 Jan 2013 19:20:56 +0000
To: Ilya Grigorik <ilya@igvita.com>
cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <23942.1357932056@critter.freebsd.dk>
--------
In message <CAKRe7JHidJN9rnp9fM_7aevR9opZ7P4GnMT+2C3tdoFqLg6ShQ@mail.gmail.com>
, Ilya Grigorik writes:

>How does this impact the "long term reality of HTTP/2.0"?

Quite simple:

Right now HTTPS is designed to implement end-to-end crypto, but while
that is a nice ideal, it is not possible for IETF to enforce this in
practice.  The result is that people circumvent the design of HTTPS,
with a host security issues as a result of broken design assumptions.

HTTP/2.0 should be designed so that such intrusions of the "end-to-end
argument" does not cause more than the minimally necessary loss of
security.

Or if you will: "Graceful degradation"

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Friday, 11 January 2013 19:21:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 11 January 2013 19:21:20 GMT