W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Reasonable proposal for migrating to 2.0

From: Willy Tarreau <w@1wt.eu>
Date: Sun, 17 Nov 2013 23:51:03 +0100
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20131117225103.GC18577@1wt.eu>
On Sun, Nov 17, 2013 at 09:57:22PM +0000, Poul-Henning Kamp wrote:
> In message <20131117204928.GA18577@1wt.eu>, Willy Tarreau writes:
> 
> >1) browser: make the root and/or cert issuer on HTTPS sites for the main
> >   page visible all the time, just like the page's title is currently
> >   visible (add it next to the title or at the bottom ?)
> 
> That could work for open-source browsers.  For closed source browsers
> of US origin, there's no telling what they can or will tell the user
> or what relationship that might have with the truth.

You can say the same about their TLS libs anyway, so that's not an
issue we can cover using a protocol.

> >2) protocol: add a new "httpe://" scheme
> 
> Anything which tries to add another scheme is going to be serious
> uphill work, so it had better be for a reason which amounts to
> more than some cryptographic mumbo-jumbo 99.9% of webmasters
> are not entirely sure what means.

Note I'm not talking about sites, but more the rare use cases where
we currentl expect a self-signed cert to be OK (basically your WiFi
router's setup page, or for developers to test HTTP/2 without having
to request a cert for each host:port combination they work on).

> I don't think your idea clears that hurdle.
> 
> I think it is a better idea to just stick with "https:" and leave
> it to the server side to negotiate as much security as they want,
> and hope that user-agents faithfully indicates this to the user.
> 
> >3) browser: get rid of the ability to bypass the cert error for HTTPS
> >   (except maybe for developers using a config option). 
> 
> See above.
> 
> At least 50% of the pervassive surveillance problem is software we
> cannot trust on the client side.

I dont think it's that high if we're talking about surveillance. If
we're talking about information leaks, it might be much higher however.

Willy
Received on Sunday, 17 November 2013 22:51:27 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC