W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Jason Duell <jduell@mozilla.com>
Date: Wed, 13 Nov 2013 16:43:50 -0800
Message-ID: <52841CC6.9060805@mozilla.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
On 11/13/2013 03:09 PM, Karl Dubost wrote:
> (trimming the cc)
>
> Le 13 nov. 2013 à 15:41, Mike Belshe <mike@belshe.com> a écrit :
>>      c) otherwise actively leveraging plaintext HTTP today for business or pleasure
> I'm one of this (indeed rare) person who is having a Web site, do not have analytics, do not have comments, or anything, do not set any cookies of any sort, etc. Plain HTTP works for me.

And plain HTTP/1.1 will continue to work for you, and that's a good, 
fine thing. Your simple site is unlikely to benefit much from the 
latency/multiplexing/etc improvements that HTTP/2 gives. Sites that do 
are more likely to the ones that carry user identity or other info that 
is better to keep secure.  Hence the carrot approach: use TLS if you 
want the fancy bells and whistles from HTTP/2.

The proposal Mark has laid out sounds like a reasonable compromise, and 
I suspect the other networking module peers at Mozilla feel similarly.

Jason Duell
Mozilla
Received on Thursday, 14 November 2013 00:44:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC