Re: Moving forward on improving HTTP's security from James M Snell on 2013-11-14 (ietf-http-wg@w3.org from October to December 2013)

From: James M Snell <jasnell@gmail.com>
Date: Thu, 14 Nov 2013 13:37:36 -0800
To: Roberto Peon <grmocg@gmail.com>
Cc: Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABP7RbeE8fQK8=nu4AkwvQdky0Fn1hbNTGsM_gRCtPOdfp5fvw@mail.gmail.com>

Ok great, so HTTP/2 will allow plaintext.  Fantastic. The next
question is: If I have a plaintext HTTP/2 server on my intranet, will
I be able to use Chrome to access that server using HTTP/2?

On Thu, Nov 14, 2013 at 1:27 PM, Roberto Peon <grmocg@gmail.com> wrote:
> This is going sideways.
>
> You cut out the suggestion about alternate input, e.g. barcode.
>
> There are two nearly orthogonal issues here.
> 1) security/authentication
> 2) protocol
>
> It has been said over and over that http2 is specced and will be specced to
> allow plaintext on intranets.
>
> Doing so is not a great idea for device configuration of devices where
> security matters.
>
> The security issue is separate.
>
> You need a trust chain for authentication.
> The best trust chain involves meat-space interaction with the device and
> involves no third party and has nothing at all to do with the protocol that
> otherwise would be spoken.
>
> -=R
>
> On Nov 14, 2013 11:14 AM, "Amos Jeffries" <squid3@treenet.co.nz> wrote:
>>
>> On 2013-11-15 09:41, Roberto Peon wrote:
>>>
>>> Well, in such cases you may be screwed and should use a device that has
>>> such, else you have an insurmountable trust root problem.
>>
>>
>>
>> You do realise that a huge population in India and Africa are using
>> networks that consist solely of wireless AP, cellphone or tablet, right?
>> Electricity supply in many areas is not reliable enough to even run an old
>> fashioned PC.
>>
>> You just cut off how many people? oh well,
>>
>>
>> Looking forward, the high-tech countries are already rolling out similar
>> sorts of networks. Japan for example is rolling out HTTP-over-LED_lightbulb
>> and vehicle manufacturers are rolling out vehicle-vehicle wireless
>> communication (via proxies!). Now try locating the TLS certificate of the
>> lightbulb nearest you when you get of the train ... so that you can simply
>> connect to it.
>>
>> Whats the population of east asia? oh well,
>>
>>
>> Then there is that media whipping-post about trends in mobile devices
>> replacing other technology.
>>
>> Cut off them and you have lost a majority of the entire population. Both
>> Internet-of-Users and Internet-of-Things with no security.
>>
>>
>> So, how fast were you going to replace/upgrade every single Internet
>> connected device on the planet to support cabled connection with HTTP/2?
>>
>>
>> non-TLS forms of PKI seem to be working far better in those above systems
>> for simultaneous performance and security than HTTPS/TLS can offer at its
>> best. The TLS system has edges. Long overdue time to admit they are there
>> and work towards supporting the next best thing in HTTP/2 (or is it really
>> going to be an old thing that got sidelined because TLS CA model was "easy"
>> ?).
>>
>> Amos
>>
>>
>

Received on Thursday, 14 November 2013 21:38:28 UTC