W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Rough minutes

From: Yoav Nir <ynir@checkpoint.com>
Date: Sun, 10 Nov 2013 21:29:41 +0000
To: Julian Reschke <julian.reschke@gmx.de>
CC: HTTP Working Group <ietf-http-wg@w3.org>, Peter Lepeska <bizzbyster@gmail.com>, Tim Bray <tbray@textuality.com>, Mark Nottingham <mnot@mnot.net>
Message-ID: <6E5FE87E-40C5-4870-9CA2-4A294D1D7461@checkpoint.com>

On Nov 10, 2013, at 11:53 AM, Julian Reschke <julian.reschke@gmx.de> wrote:

> On 2013-11-10 05:11, Yoav Nir wrote:
>> I'm stumped about #3 myself.
>> 
>> The literal interpretation is that you follow (or type in) an http://
>> link, get a response, and in the response learn that this is also
>> available with SSL. So the client attempts to upgrade to SSL, and
>> receives a valid certificate. So, yay!
>> 
>> But in that case, why is the http:// link out there at all, and if
>> anybody types it in, why not immediately redirect to https:// as pretty
>> much all sites using SSL do?
> 
> Redirecting means changing the URI (bookmarks etc), and also implies running the service both on port 80 and 443.

Right. But that's a good thing for a site with a valid certificate, no?  Even port 80 doesn't have the same service as port 443, but just something that redirects all requests to the https equivalent. 

I just don't see why opportunistic encryption is useful for sites with a valid certificate. I think OE is needed for the 70% of websites ([1]) that don't have a valid certificate.

Yoav


[1] http://w3techs.com/technologies/overview/ssl_certificate/all
Received on Sunday, 10 November 2013 21:30:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC