W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Zhong Yu <zhong.j.yu@gmail.com>
Date: Thu, 14 Nov 2013 12:14:30 -0600
Message-ID: <CACuKZqFNf=nZtHuLR_pC+c2f-JjdsjyPm-_BvrK5n+oFNMmBQg@mail.gmail.com>
To: William Chan (陈智昌) <willchan@chromium.org>
Cc: Willy Tarreau <w@1wt.eu>, Martin J. Dürst <duerst@it.aoyama.ac.jp>, Rob Trace <Rob.Trace@microsoft.com>, Michael Sweet <msweet@apple.com>, Mike Belshe <mike@belshe.com>, Tao Effect <contact@taoeffect.com>, Tim Bray <tbray@textuality.com>, James M Snell <jasnell@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On Thu, Nov 14, 2013 at 12:05 PM, William Chan (陈智昌)
<willchan@chromium.org> wrote:
> On Thu, Nov 14, 2013 at 10:00 AM, Zhong Yu <zhong.j.yu@gmail.com> wrote:
>>
>> On Thu, Nov 14, 2013 at 1:21 AM, Willy Tarreau <w@1wt.eu> wrote:
>> > On Thu, Nov 14, 2013 at 04:07:07PM +0900, "Martin J. Dürst" wrote:
>> >> If I Rob this correctly, this may mean that a future version of IE will
>> >> implement HTTP 2.0 without encryption for http: URIs.
>> >>
>> >> Next let's say that Apache 3.0 implements HTTP 2.0 which can be
>> >> configured to run without encryption (after all, Apache is used in
>> >> internal contexts, too).
>> >>
>> >> What's the chance of this *not* leaking out into the open internet and
>> >> forcing other browser vendors to also allow HTTP 2.0 for http: URIs
>> >> without encryption? After all, experience has shown that users quickly
>> >> abandon a browser that doesn't work for some websites, and that browser
>> >> vendors know about this and try to avoid it.
>> >
>> > And so what ? It's not a problem. Some browsers will likely implement
>> > it at least with a config option that's disabled by default, and these
>> > browsers will be the ones picked by developers during their tests,
>> > because developers pick the browser that makes their life easier.
>>
>> And web servers also need to have an option to operate HTTP/2.0 on
>> plain TCP to make dev's life easier. It's difficult to see why
>> browsers/servers would risk to alienate developers. So most browsers
>> and servers would end up with the capability of talking HTTP/2.0 over
>> TCP.
>>
>
> Just to be clear, I'm a browser vendor speaking here, representing my own
> personal views, but those generally align with the Chromium project. And no,
> we don't have plans to support HTTP/2.0 in the clear. Firefox developers
> like Pat have said similar things. So you're simply factually wrong in your
> assertion about browsers.

I was just predicting. It's a hassle to setup TLS during development.
How does google handle it internally in developing your SPDY services?

>
>>
>>
>> >
>> > Willy
>> >
>> >
>>
>
Received on Thursday, 14 November 2013 18:14:57 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC