Re: A proposal

Ugh..  Sorry for the autocorrect errors in that post.  Typing email on
tablets is still a rather sub par experience.
On Nov 17, 2013 10:08 AM, "James M Snell" <jasnell@gmail.com> wrote:

> The volume on the other threads on the security subject is causing far too
> much noise. I have a proposal that offers a compromise approach. I posted
> about this partially in one of the threads but I'm afraid it got lost in
> the noise. Others have touched on the same basic idea:
>
> 1. By default, assign plain text http/2 to a new port.
> 2. Document that plaintext http/2 can be sent over port 80 but document
> the various possible issues with reliability.
> 3. Strongly recommend that http/2 be sent over TLS instead of plaintext.
> 4. Establish a new http2 URL protocol prefix for plaintext http2 over the
> new default port
>
> This does several things.
>
> A. It makes plaintext http/2 possible but significantly harder. Some.
> Would argue that makes plaintext http/2 "undeployable"... The same people
> who have argued that have also argued that plaintext http/2 should not be
> used at all. Therefore, those people really do not lose anything by
> following this approach.
>
> B. It makes http/2 over TLS the default for the public internet since
> that's the only option that would be broadly deployable on today's
> infrastructure.
>
> C. It makes it less likely that we would have to deal with the upgrade
> dance on port 80. Which is a good thing. Http:// URLs would always mean
> http/1.x. Http2://example:80 would mean http/2 over port 80.
>
> D. Developers would be forced to make a conscious choice to use plaintext
> http/2 over an established default port. There's zero ambiguity.
>
> The folks who are arguing for TLS only really lose nothing with this
> approach. It still, over course, does nothing about the mitm issues on port
> 443, but its a start.
>
> - James
>
>