W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Thu, 14 Nov 2013 17:02:03 +0000
Message-ID: <5285020B.6070803@cs.tcd.ie>
To: Michael Sweet <msweet@apple.com>, Nicolas Mailhot <nicolas.mailhot@laposte.net>
CC: Willy Tarreau <w@1wt.eu>, Mike Belshe <mike@belshe.com>, "William Chan (?????????)" <willchan@chromium.org>, Tao Effect <contact@taoeffect.com>, Tim Bray <tbray@textuality.com>, James M Snell <jasnell@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>

Just on two points...

On 11/14/2013 04:41 PM, Michael Sweet wrote:
> The point of all this is just that adding/requiring TLS for HTTP/2.0
> does not, by itself, make HTTP/2.0 more secure, 

Adding even opportunistic encryption does make things more secure.
Nobody sensible said anything makes things "secure" without some
qualification.

> and that deploying
> TLS properly is not as simple as clicking a button.  Last week the
> prevailing assumption was that “active attacks are too expensive”,

That's not correct. Lots of discussion last week related to making
pervasive attacks more expensive which is very different to the above.
For example active attacks are much more detectable and hence
riskier which is very different.

Having said that I do agree that the printer/device-as-server
issue is a real one.

S

> but in the last couple days we have discovered that assumption is not
> correct and that MITM proxies are widely deployed already.
Received on Thursday, 14 November 2013 17:02:27 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC