Re: HTTP 2.0 mandatory security vs. Amateur Radio from Willy Tarreau on 2013-11-14 (ietf-http-wg@w3.org from October to December 2013)

From: Willy Tarreau <w@1wt.eu>
Date: Thu, 14 Nov 2013 21:47:11 +0100
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Roberto Peon <grmocg@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>, Bruce Perens <bruce@perens.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <20131114204711.GK7262@1wt.eu>

Hi Julian,

On Thu, Nov 14, 2013 at 09:33:42PM +0100, Julian Reschke wrote:
> On 2013-11-14 21:25, Roberto Peon wrote:
> >As I seem to be saying over and over...
> >
> >We can wish for plaintext http2 over the internet on port 80 as much as
> >we want, but it won't happen since it is not reliable, and the nature of
> >that unreliability is not predictable.
> >
> >Few websites will be willing to turn on http2 if it means losing 10-20%
> >of their user base. And that really is what we are talking about.
> >
> >-=R
> 
> It may very well be true that the best we can come up with isn't 
> deployable on the public internet where you need to deal with broken 
> intermediaries. But that's different from giving up right now.

Which is exactly why I think that making it the default for HTTPS *and*
allowing it for HTTP but not by default is a reasonable approach. It
will allow users to taste the new speed of HTTP/2. And when they're on
an HTTP/1.1 site, they'll have two options to use it in 2.0 : contact
the web site owner to ask him to move to TLS and try by themselves to
enable HTTP/2 in their browser (for browsers that will accept it).

It has worked for the transition between 1.0 and 1.1, we ended up
quickly with 1.1 being used by default. Then same for keep-alive
which was broken for a long time. Then keep-alive to proxies, then
1.0 vs 1.1 to proxies. Even pipelining which was not generalized by
default in all browsers due to the difficulty of getting it right.
It also worked for SSLv2 to SSLv3 which were incompatible on the
wire.

I don't see why it wouldn't work with HTTP/2 as well if there is
incentive for end users to try to get a better experience. But we
can expect that 2.0 over TLS will work at more places than 2.0 in
clear.

Note that this might possibly change quickly due to the massive
incentive that TLS-everywhere creates for MITM proxies which will
have even more trouble letting HTTP/2 pass through without a code
upgrade... TLS was the preferred transport in part because it was
less affected by MITM boxes, and now it's changing because we try
to do things in the wrong order.

I just hope we won't reach the point where port 80 is more reliable
than port 443, because it will mean we'd have significantly degraded
the Net.

Best regards,
Willy

Received on Thursday, 14 November 2013 20:47:37 UTC