W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: something I don't get about the current plan...

From: Patrick McManus <pmcmanus@mozilla.com>
Date: Mon, 18 Nov 2013 09:06:36 -0500
Message-ID: <CAOdDvNq+7A6ONG9vTqY7w0gVMXOgNxeYF+OUdBp9cyOWP8pDHA@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On Sun, Nov 17, 2013 at 11:04 PM, Mark Nottingham <mnot@mnot.net> wrote:

>
>
> The underlying assumption seems to be that the performance (and other?)
> benefits of HTTP/2 will lure sites into deploying TLS. Other things could
> also help, of course -- e.g. better administrator experience in deploying
> certs on the server, but that's out of scope for us.
>
> In short, HTTP/2 is being positioned as a gigantic carrot. Because the
> incentives are lined up (the person who needs to install the cert is
> getting the benefit of HTTP/2), the theory is that it's not like the other
> cases.
>
> However, it's still making an assumption that enough people will want
> those benefits to go through the pain of deploying TLS.
>
> Opportunistic encryption is also a means of addressing this issue;
> however, there seems to be a lot of doubt about how its introduction would
> affect the Web, whereas the current approach ("HTTPS Everywhere", to steal
> a phrase from the EFF) has more well-understood properties.
>
> In the current plan, opp encryption may still have a place, if adoption of
> HTTP/2-over-TLS-over-HTTPS turns out to be very low.
>
>
Mark, I think this is a really great summary. Thank you. I will say that
low-adoption isn't necessarily the only possible trigger for me. For my
part, I want to see tls-no-auth vetted by the security folks that I trust
too - and if they are on board then its a lot more attractive to do
proactively. I value their opinions, but it takes some time.



> So, I'd like to hear from those who don't like the current plan; would opp
> encryption (in a nutshell, HTTP/2 for http:// URIs over TLS without
> server authentication) help or hurt?
>
>
both! :)



> Also, I'm wondering what people (both sides) would think if we allowed
> http/2 for http:// URLs (with or without opp encryption) for .local and
> RFC1918 addresses, to ease the IoT / printer cases.
>
>
as above, encryption with no-auth is still a possibility in my mind,
especially for things that don't bootstrap into the PKI well. But no
plaintext at all for me - addresses are meaningless, as is the notion of a
private lan.
http://apps.washingtonpost.com/g/page/world/how-the-nsas-muscular-program-collects-too-much-data-from-yahoo-and-google/543/
Received on Monday, 18 November 2013 14:07:07 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC