W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Tao Effect <contact@taoeffect.com>
Date: Wed, 13 Nov 2013 13:53:36 -0500
Cc: "William Chan (陈智昌)" <willchan@chromium.org>, Mike Belshe <mike@belshe.com>, Tim Bray <tbray@textuality.com>, James M Snell <jasnell@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <D531FC7E-89AC-41AC-801D-9B3DCB300B92@taoeffect.com>
To: Martin Thomson <martin.thomson@gmail.com>
OK, I agree with this sentiment.

What worries me is the emphasis that I see being placed on HTTP 2.0 being "secure".

Perhaps it is somewhat of a marketing problem, but nevertheless, it's a marketing problem with potentially serious security consequences.

If HTTP/2.0 is flexible enough to allow for very different types of authentication practices than the ones currently done with the PKI/CA system, then I would support it.

Just make it _clear_ then that HTTP/2.0 is not about improving security.

If this is not made crystal clear, then people will continue to see news headlines on tech sites that give people the impression that something is actually being done to improve the internet's security with this "move to HTTP 2.0!", which is horse sh*t.

- Greg

--
Please do not email me anything that you are not comfortable also sharing with the NSA.

On Nov 13, 2013, at 1:47 PM, Martin Thomson <martin.thomson@gmail.com> wrote:

> On 13 November 2013 10:42, William Chan (陈智昌) <willchan@chromium.org> wrote:
>> If there are issues with TLS or the PKI or whatever we're relying on for the
>> secure channel, let's fix it.
> 
> Yes.  We outsource the bulk of HTTP security work to the SEC area
> working groups, primarily TLS.  They are acutely aware of the issues
> and are working on improving the situation.  Let's concentrate on what
> we can do.



Received on Wednesday, 13 November 2013 18:54:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC