W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Mike Belshe <mike@belshe.com>
Date: Thu, 14 Nov 2013 00:04:04 -0800
Message-ID: <CABaLYCsL5kHPETW2OC7ZyTm_s7rCJYoJaFChSc5kAsi-PWJN3A@mail.gmail.com>
To: Willy Tarreau <w@1wt.eu>
Cc: Martin J. Dürst <duerst@it.aoyama.ac.jp>, Rob Trace <Rob.Trace@microsoft.com>, Michael Sweet <msweet@apple.com>, Tao Effect <contact@taoeffect.com>, Tim Bray <tbray@textuality.com>, James M Snell <jasnell@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
I agree, TLS is too hard to use today.  We need more tools and simpler
processes.

The reason it hasn't been simplified is not because security inhibits
simplicity.  It's because we're able to quickly opt out of any security
whatsoever and lazily go about our ways...

So for those of you that would like more encryption & authentication
generally, but are resisting TLS for fear of additional work - fear not!
 The best way to make TLS easier is to use is to make it mandatory.

Mike









On Wed, Nov 13, 2013 at 11:21 PM, Willy Tarreau <w@1wt.eu> wrote:

> On Thu, Nov 14, 2013 at 04:07:07PM +0900, "Martin J. Dürst" wrote:
> > If I Rob this correctly, this may mean that a future version of IE will
> > implement HTTP 2.0 without encryption for http: URIs.
> >
> > Next let's say that Apache 3.0 implements HTTP 2.0 which can be
> > configured to run without encryption (after all, Apache is used in
> > internal contexts, too).
> >
> > What's the chance of this *not* leaking out into the open internet and
> > forcing other browser vendors to also allow HTTP 2.0 for http: URIs
> > without encryption? After all, experience has shown that users quickly
> > abandon a browser that doesn't work for some websites, and that browser
> > vendors know about this and try to avoid it.
>
> And so what ? It's not a problem. Some browsers will likely implement
> it at least with a config option that's disabled by default, and these
> browsers will be the ones picked by developers during their tests,
> because developers pick the browser that makes their life easier.
>
> Willy
>
>
Received on Thursday, 14 November 2013 08:04:32 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC