- From: Roland Zink <roland@zinks.de>
- Date: Thu, 24 Jul 2014 15:22:44 +0200
- To: HTTP Working Group <ietf-http-wg@w3.org>
Accessing web sites through TLS gives the feeling of just talking to this site. The retrieved HTML content however cause the browser to open more connections for subresources of the displayed page, e.g. there are multiple endpoints and third parties are involved. It is known that in some countries it is possible for intelligence agencies to get access to the data after decryption has been done. If encryption is done to provide real end to end security then the use of any third party subresource must be avoided in order to not violate the users privacies concerns. For example an intelligence agency can surveil who is browsing where by just using some tracking companies data including the referer header data, ever cookies and other tracking data. When a http2 browser is using TLS then it should use a single end-to-end connection and refrain from open any further connections. The server is the endpoint and is therefore not allowed to forward the request. Any proxy / gateway must mark responses with a via header and http2 clients using a TLS connection must close the connection if they discover such a via header. Roland
Received on Thursday, 24 July 2014 13:23:13 UTC