W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: James M Snell <jasnell@gmail.com>
Date: Thu, 14 Nov 2013 09:09:08 -0800
Message-ID: <CABP7RbdqUobyTjZvVbZZRfp1pex7JJaQWSL9dJS+m+Y-dFDTqg@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Michael Sweet <msweet@apple.com>, Nicolas Mailhot <nicolas.mailhot@laposte.net>, Willy Tarreau <w@1wt.eu>, Mike Belshe <mike@belshe.com>, "William Chan (?????????)" <willchan@chromium.org>, Tao Effect <contact@taoeffect.com>, Tim Bray <tbray@textuality.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Ok, so this raises the question. For clarification it would be great
if some of the folks from Chromium or Firefox could answer this:

  - The proposal that Mark put on the table is HTTP2 over HTTPS Only
for open Internet traffic.
  - William has said that Chromium, at least, will ONLY support HTTP2
over HTTPS, period, without any qualification given about "open" or
"private" internet traffic,

  Therefore, it would be helpful to know...

  - If my printer running on my secure local wifi network hosts an
HTTP/2 server without using TLS, will I be able to use Chrome to
access my printers HTTP/2 server.

If not, then we have a definite problem.

- James

On Thu, Nov 14, 2013 at 9:02 AM, Stephen Farrell
<stephen.farrell@cs.tcd.ie> wrote:
>
> Just on two points...
>
> On 11/14/2013 04:41 PM, Michael Sweet wrote:
>> The point of all this is just that adding/requiring TLS for HTTP/2.0
>> does not, by itself, make HTTP/2.0 more secure,
>
> Adding even opportunistic encryption does make things more secure.
> Nobody sensible said anything makes things "secure" without some
> qualification.
>
>> and that deploying
>> TLS properly is not as simple as clicking a button.  Last week the
>> prevailing assumption was that “active attacks are too expensive”,
>
> That's not correct. Lots of discussion last week related to making
> pervasive attacks more expensive which is very different to the above.
> For example active attacks are much more detectable and hence
> riskier which is very different.
>
> Having said that I do agree that the printer/device-as-server
> issue is a real one.
>
> S
>
>> but in the last couple days we have discovered that assumption is not
>> correct and that MITM proxies are widely deployed already.
>
>
Received on Thursday, 14 November 2013 17:09:55 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC