W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: A proposal

From: Roland Zink <roland@zinks.de>
Date: Sun, 17 Nov 2013 19:12:20 +0100
Message-ID: <52890704.9060609@zinks.de>
To: ietf-http-wg@w3.org
+1
On 17.11.2013 19:08, James M Snell wrote:
>
> The volume on the other threads on the security subject is causing far 
> too much noise. I have a proposal that offers a compromise approach. I 
> posted about this partially in one of the threads but I'm afraid it 
> got lost in the noise. Others have touched on the same basic idea:
>
> 1. By default, assign plain text http/2 to a new port.
> 2. Document that plaintext http/2 can be sent over port 80 but 
> document the various possible issues with reliability.
> 3. Strongly recommend that http/2 be sent over TLS instead of plaintext.
> 4. Establish a new http2 URL protocol prefix for plaintext http2 over 
> the new default port
>
> This does several things.
>
> A. It makes plaintext http/2 possible but significantly harder. Some. 
> Would argue that makes plaintext http/2 "undeployable"... The same 
> people who have argued that have also argued that plaintext http/2 
> should not be used at all. Therefore, those people really do not lose 
> anything by following this approach.
>
> B. It makes http/2 over TLS the default for the public internet since 
> that's the only option that would be broadly deployable on today's 
> infrastructure.
>
> C. It makes it less likely that we would have to deal with the upgrade 
> dance on port 80. Which is a good thing. Http:// URLs would always 
> mean http/1.x. Http2://example:80 would mean http/2 over port 80.
>
> D. Developers would be forced to make a conscious choice to use 
> plaintext http/2 over an established default port. There's zero ambiguity.
>
> The folks who are arguing for TLS only really lose nothing with this 
> approach. It still, over course, does nothing about the mitm issues on 
> port 443, but its a start.
>
> - James
>
Received on Sunday, 17 November 2013 18:12:42 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC