W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Roberto Peon <grmocg@gmail.com>
Date: Thu, 14 Nov 2013 13:48:16 -0800
Message-ID: <CAP+FsNcHPW0MkDWO8oU327Yi_J+nmSczeBB5poVtn+but2br1g@mail.gmail.com>
To: James Snell <jasnell@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Amos Jeffries <squid3@treenet.co.nz>
No idea here.
-=R
On Nov 14, 2013 11:37 AM, "James M Snell" <jasnell@gmail.com> wrote:

> Ok great, so HTTP/2 will allow plaintext.  Fantastic. The next
> question is: If I have a plaintext HTTP/2 server on my intranet, will
> I be able to use Chrome to access that server using HTTP/2?
>
> On Thu, Nov 14, 2013 at 1:27 PM, Roberto Peon <grmocg@gmail.com> wrote:
> > This is going sideways.
> >
> > You cut out the suggestion about alternate input, e.g. barcode.
> >
> > There are two nearly orthogonal issues here.
> > 1) security/authentication
> > 2) protocol
> >
> > It has been said over and over that http2 is specced and will be specced
> to
> > allow plaintext on intranets.
> >
> > Doing so is not a great idea for device configuration of devices where
> > security matters.
> >
> > The security issue is separate.
> >
> > You need a trust chain for authentication.
> > The best trust chain involves meat-space interaction with the device and
> > involves no third party and has nothing at all to do with the protocol
> that
> > otherwise would be spoken.
> >
> > -=R
> >
> > On Nov 14, 2013 11:14 AM, "Amos Jeffries" <squid3@treenet.co.nz> wrote:
> >>
> >> On 2013-11-15 09:41, Roberto Peon wrote:
> >>>
> >>> Well, in such cases you may be screwed and should use a device that has
> >>> such, else you have an insurmountable trust root problem.
> >>
> >>
> >>
> >> You do realise that a huge population in India and Africa are using
> >> networks that consist solely of wireless AP, cellphone or tablet, right?
> >> Electricity supply in many areas is not reliable enough to even run an
> old
> >> fashioned PC.
> >>
> >> You just cut off how many people? oh well,
> >>
> >>
> >> Looking forward, the high-tech countries are already rolling out similar
> >> sorts of networks. Japan for example is rolling out
> HTTP-over-LED_lightbulb
> >> and vehicle manufacturers are rolling out vehicle-vehicle wireless
> >> communication (via proxies!). Now try locating the TLS certificate of
> the
> >> lightbulb nearest you when you get of the train ... so that you can
> simply
> >> connect to it.
> >>
> >> Whats the population of east asia? oh well,
> >>
> >>
> >> Then there is that media whipping-post about trends in mobile devices
> >> replacing other technology.
> >>
> >> Cut off them and you have lost a majority of the entire population. Both
> >> Internet-of-Users and Internet-of-Things with no security.
> >>
> >>
> >> So, how fast were you going to replace/upgrade every single Internet
> >> connected device on the planet to support cabled connection with HTTP/2?
> >>
> >>
> >> non-TLS forms of PKI seem to be working far better in those above
> systems
> >> for simultaneous performance and security than HTTPS/TLS can offer at
> its
> >> best. The TLS system has edges. Long overdue time to admit they are
> there
> >> and work towards supporting the next best thing in HTTP/2 (or is it
> really
> >> going to be an old thing that got sidelined because TLS CA model was
> "easy"
> >> ?).
> >>
> >> Amos
> >>
> >>
> >
>
Received on Thursday, 14 November 2013 21:48:44 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC