W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Willy Tarreau <w@1wt.eu>
Date: Thu, 14 Nov 2013 00:22:29 +0100
To: James M Snell <jasnell@gmail.com>
Cc: Mike Belshe <mike@belshe.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, "William Chan (?????????)" <willchan@chromium.org>, Tao Effect <contact@taoeffect.com>, Tim Bray <tbray@textuality.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20131113232229.GB10912@1wt.eu>
On Wed, Nov 13, 2013 at 02:40:24PM -0800, James M Snell wrote:
> Strongly recommending the use of TLS is fine; even making it the
> default option is fine; mandating TLS is not fine and could be
> actively counterproductive to addressing the real underlying problems
> by either providing a false sense of security or by actively
> encouraging abuse.

Perfectly agreed. I think that Mark's proposal of http2 by default
for TLS and 1.1 by default for HTTP is fine and balanced. It provides
incentive without making things mandatory. You want better experience ?
Use HTTP/2 with security. If a web site cares about response time it
will support HTTP/2 with security. Those who don't care will not have
to make that jump. And those who want/need to have the features of
HTTP/2 without security for whatever reasons will simply have to
change their browser's settings, use another browser, or maybe will
just use some libs or command line tools because this will not be
about a browser at all.

Willy
Received on Wednesday, 13 November 2013 23:23:00 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC