W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: How HTTP 2.0 mandatory security will actually reduce my personal security

From: Tim Bray <tbray@textuality.com>
Date: Thu, 14 Nov 2013 23:36:13 -0800
Message-ID: <CAHBU6is_i+CrYuM2i=JP1Whezv8p3HJXuad7hVtmteZshvnnRA@mail.gmail.com>
To: Roberto Peon <grmocg@gmail.com>
Cc: Nicolas Mailhot <nicolas.mailhot@laposte.net>, Bruce Perens <bruce@perens.com>, HTTP Working Group <ietf-http-wg@w3.org>
No objection, but in Vancouver, there seemed to be quite a few voices
saying that trying for opportunistic encryption, even of http:-scheme
connections, was a good idea if technically achievable. I’d certainly be in
favor.


On Thu, Nov 14, 2013 at 11:32 PM, Roberto Peon <grmocg@gmail.com> wrote:

> For 1,2: How is this not orthogonal to the rest of the discussion?
> For 3: I'm assuming you mean because the data is encrypted. You can MITM
> this.
>
> Just to be sure we're all on the same page here (because it seems that
> we're not):.
>   As I understand it, the proposal is:
>     For web activity on the "open internet", if the scheme is https,
> attempt to use http/2 over an encrypted, authenticated channel.
>     For web activity on the "open internet", if the scheme is http, use
> http/1 over an unencrypted, plaintext channel.
>     For activity on a private network: use any combination of
> {authenticated, unauthenticated}{encrypted, unencrypted}{http2,http1} you
> desire.
>
> Is there an objection to this?
> -=R
>
>
> On Thu, Nov 14, 2013 at 11:16 PM, Nicolas Mailhot <
> nicolas.mailhot@laposte.net> wrote:
>
>>
>> Le Ven 15 novembre 2013 07:57, Roberto Peon a écrit :
>> > What is your threat model?
>>
>> The threat model is
>> 1. developer that makes information leak trough incompetence, laziness,
>> sloppiness or greed (cf all the info your average android app wants to
>> access)
>> 2. attacker that does not need to penetrate target anymore can just
>> collect the leaked info at endpoints (see also: Snowden)
>> 3. protocol that prevents anyone doing anything about it by default
>>
>> --
>> Nicolas Mailhot
>>
>>
>
Received on Friday, 15 November 2013 07:36:40 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC