W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Roberto Peon <grmocg@gmail.com>
Date: Thu, 14 Nov 2013 12:36:26 -0800
Message-ID: <CAP+FsNfkEiWWX_q6EjEowevp7M-KYHA6mc3k10gtYxe7Ve_NZQ@mail.gmail.com>
To: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Cc: Zhong Yu <zhong.j.yu@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>, Frédéric Kayser <f.kayser@free.fr>, Patrick McManus <pmcmanus@mozilla.com>
Again, while some browsers may not implement http2 as plaintext, that
doesn't mean that a printer wouldn't be able to do it in the clear on an
intranet.

If http2 gets blocked, so be it. I can do nothing about that, and I am
thoroughly unwilling to deal with the deployment and debugging nightmare if
anything less than 100% encryption all the time.

If you need a MITM to feel or be safe, then it is absolutely clear that you
will deploy one. Having thought about and worried about the problem and
even proposed a draft about it (exproxy), even then I absolutely support
browser vendors saying they will not deploy plaintext http2 over the
internet for web traffic. It is not deployable no matter how much you may
wish it to be. This is engineering, pure, plain, and simple.

-=R
On Nov 14, 2013 9:44 AM, "Nicolas Mailhot" <nicolas.mailhot@laposte.net>
wrote:

>
> Le Jeu 14 novembre 2013 18:34, Patrick McManus a écrit :
> > On Thu, Nov 14, 2013 at 12:13 PM, Zhong Yu <zhong.j.yu@gmail.com> wrote:
> >
> >>
> >> If that's the case, WebSocket is also "undeployable" since it tunnels
> >> though port 80 as well.
> >>
> >>
> > that's right. The failure rate of cleartext websockets is much higher
> than
> > SSL wss:// websockets. (the failure rate is almost twice as large in
> > firefox). That's a significant part of the driver here. Websockets made a
> > mistake by even specifying cleartext. I was there and I've learned that
> > lesson.
>
> Yep, sure, people deployed all kinds of firewalls to forbid protocols they
> didn't trust. Here comes a web developer that says "you dummies, just push
> your untrusted protocol on port 80 in the browser I know the security guys
> let this pass".
>
> And the result gets blocked. Big surprise.
>
> And http/2 will get blocked too if it uses tls to workaround security
> blocks (not that https is not *that* close to being blocked now that
> people have used it right and left to bypass security restrictions; the
> one good thing about MITM TLS is that it kills such protocol abuses).
>
> I'm astounded anyone is even surprised firewall operators fight
> "enhancements" consisting in blowing holes in firewalls. I'm astounded
> anyone thinks being sneakier will endear it to those operators. Is the
> workgroup charter to improve the http protocol (a safe protocol that is
> widely allowed because of its simplicity, lack of side-effects, and
> inspectbility) or is its sole aim to fight security equipments in all
> possible ways by creating a blackhole monster? Because sometimes I really
> wonder…
>
> --
> Nicolas Mailhot
>
>
Received on Thursday, 14 November 2013 20:36:53 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC