- From: Zhong Yu <zhong.j.yu@gmail.com>
- Date: Sun, 17 Nov 2013 14:05:16 -0600
- To: James M Snell <jasnell@gmail.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
A new scheme is too disruptive, we need to think through all the
implications before taking it as a viable solution for clear http2.
I like the idea of a new port. But I'd rather keep the old "http"
scheme - it gives a tiny systematic bias to the old port, but the bias
is probably insignificant in the thought process of choosing a port
for clear http2. A service provider most likely goes with whichever
port that's more reliable today. We don't care which port wins the
evolution race. If the new ports turns out to be useless, and port 80
works just fine, so be it.
BTW, is port 02 really used by anyone? Wouldn't it be cool to assign
it to http2? So we can have URLs like
http://example.com:2/foo
On Sun, Nov 17, 2013 at 1:00 PM, James M Snell <jasnell@gmail.com> wrote:
> If you choose to deploy plaintext http/2 for your server, and you want
> people to use that, then use http2://. Detection of browser capability to
> handle http2 links is orthogonal. If you want a better, more reliable, more
> seamless experience, use http2 over TLS.
>
> The idea here is to purposefully not solve all of the possible issues with
> plaintext http/2. Rather, we make plaintext http/2 possible for those
> willing to put up with the extra pain while optimizing only for the secure
> path.
>
> On Nov 17, 2013 10:53 AM, "Zhong Yu" <zhong.j.yu@gmail.com> wrote:
>>
>> As a web page author, how do I choose which scheme, http:// or
>> http2://, to use for a link? Do I need to detect the browser version
>> the page is rendered on?
>>
>> On Sun, Nov 17, 2013 at 12:08 PM, James M Snell <jasnell@gmail.com> wrote:
>> > The volume on the other threads on the security subject is causing far
>> > too
>> > much noise. I have a proposal that offers a compromise approach. I
>> > posted
>> > about this partially in one of the threads but I'm afraid it got lost in
>> > the
>> > noise. Others have touched on the same basic idea:
>> >
>> > 1. By default, assign plain text http/2 to a new port.
>> > 2. Document that plaintext http/2 can be sent over port 80 but document
>> > the
>> > various possible issues with reliability.
>> > 3. Strongly recommend that http/2 be sent over TLS instead of plaintext.
>> > 4. Establish a new http2 URL protocol prefix for plaintext http2 over
>> > the
>> > new default port
>> >
>> > This does several things.
>> >
>> > A. It makes plaintext http/2 possible but significantly harder. Some.
>> > Would
>> > argue that makes plaintext http/2 "undeployable"... The same people who
>> > have
>> > argued that have also argued that plaintext http/2 should not be used at
>> > all. Therefore, those people really do not lose anything by following
>> > this
>> > approach.
>> >
>> > B. It makes http/2 over TLS the default for the public internet since
>> > that's
>> > the only option that would be broadly deployable on today's
>> > infrastructure.
>> >
>> > C. It makes it less likely that we would have to deal with the upgrade
>> > dance
>> > on port 80. Which is a good thing. Http:// URLs would always mean
>> > http/1.x.
>> > Http2://example:80 would mean http/2 over port 80.
>> >
>> > D. Developers would be forced to make a conscious choice to use
>> > plaintext
>> > http/2 over an established default port. There's zero ambiguity.
>> >
>> > The folks who are arguing for TLS only really lose nothing with this
>> > approach. It still, over course, does nothing about the mitm issues on
>> > port
>> > 443, but its a start.
>> >
>> > - James
>> >
Received on Sunday, 17 November 2013 20:05:44 UTC