W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Roberto Peon <grmocg@gmail.com>
Date: Thu, 14 Nov 2013 12:50:58 -0800
Message-ID: <CAP+FsNfTvKfPbB34X22anVoJOjXaHjSJhjgbrWk-GqkN8Us-bA@mail.gmail.com>
To: Gili <cowwoc@bbs.darktech.org>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
That has to be one of the funniest things I've heard in a long time!

No, sorry, I did actually deal with developers and real deployments. Large
numbers of them, actually.

Let me rephrase this.

Developers WILL choose a solution that is 99.99% reliable with a clear and
understandable failure mode over a solution that is broken 10-20% of the
time in unpredictable and unfixable ways.

Or are debating this and saying that developers will choose to deploy
something broken that they can't fix?

-=R
On Nov 14, 2013 10:37 AM, "Gili" <cowwoc@bbs.darktech.org> wrote:

>
> It sounds to me like you live in some ivory tower. Most developers suck
> (the average developer is not as smart as you). I've seen plenty of cases
> where debugging code was left in production systems and never taken out.
>
> As far as I'm concerned, most developers would pick "easy to debug" over
> "reliable" any day of the week, and I also think saying TLS is required for
> reliability is unfair. There are plenty of "reliable" services out there
> with security holes. That doesn't make them any less "reliable". You will
> never *ever* reach 100% secure, which is why I view security as a goal
> which exists alongside but separate from reliability.
>
> Gili
>
> On 14/11/2013 2:58 PM, Roberto Peon wrote:
>
> Which devs?
>
> Most developers that I know will choose "reliable" over "easy to debug"
> any day of the week. It is not pleasant dealing with heisenbugs. It is
> better to not have to debug.
>
> In locales where one knows that http2 can work effectively in the clear,
> e.g. corporate LANs, one will be able to do so.
>
> -=R
> On Nov 14, 2013 8:02 AM, "Zhong Yu" <zhong.j.yu@gmail.com> wrote:
> >
> > On Thu, Nov 14, 2013 at 1:21 AM, Willy Tarreau <w@1wt.eu> wrote:
> > > On Thu, Nov 14, 2013 at 04:07:07PM +0900, "Martin J. Dürst" wrote:
> > >> If I Rob this correctly, this may mean that a future version of IE
> will
> > >> implement HTTP 2.0 without encryption for http: URIs.
> > >>
> > >> Next let's say that Apache 3.0 implements HTTP 2.0 which can be
> > >> configured to run without encryption (after all, Apache is used in
> > >> internal contexts, too).
> > >>
> > >> What's the chance of this *not* leaking out into the open internet and
> > >> forcing other browser vendors to also allow HTTP 2.0 for http: URIs
> > >> without encryption? After all, experience has shown that users quickly
> > >> abandon a browser that doesn't work for some websites, and that
> browser
> > >> vendors know about this and try to avoid it.
> > >
> > > And so what ? It's not a problem. Some browsers will likely implement
> > > it at least with a config option that's disabled by default, and these
> > > browsers will be the ones picked by developers during their tests,
> > > because developers pick the browser that makes their life easier.
> >
> > And web servers also need to have an option to operate HTTP/2.0 on
> > plain TCP to make dev's life easier. It's difficult to see why
> > browsers/servers would risk to alienate developers. So most browsers
> > and servers would end up with the capability of talking HTTP/2.0 over
> > TCP.
> >
> >
> > >
> > > Willy
> > >
> > >
> >
>
>
>
Received on Thursday, 14 November 2013 20:51:25 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC