W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: HTTP 2.0 mandatory security vs. Amateur Radio

From: Willy Tarreau <w@1wt.eu>
Date: Fri, 15 Nov 2013 07:47:09 +0100
To: Ryan Hamilton <rch@google.com>
Cc: David Morris <dwm@xpasc.com>, Bruce Perens <bruce@perens.com>, Roberto Peon <grmocg@gmail.com>, James Snell <jasnell@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>, Julian Reschke <julian.reschke@gmx.de>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <20131115064709.GA11628@1wt.eu>
On Thu, Nov 14, 2013 at 04:28:50PM -0800, Ryan Hamilton wrote:
> ???Plain-text HTTP/1 is reliable (as Roberto said).  However plain-text of
> any other protocol on port 80 (WebSockets, HTTP/2.x etc) is *not* reliable
> because of middle boxes that attempt to process that traffic as HTTP/1.

As a *subset* of HTTP/1. Those that attempted to process that traffic as
HTTP/1 do not cause any issues since the protocol explicitly permits these
things.

The CONNECT method is used to open tunnels through proxies and all proxy
users who browse in HTTPS use it. Upgrade does the same with the origin
server instead of a proxy, and with a protocol that is advertised. If
your middle box correctly implements these, then your HTTP/1 is reliable
through this box. And fortunately there are a fair number which do it
right.

Willy
Received on Friday, 15 November 2013 06:47:42 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC