- From: Brian Smith <brian@briansmith.org>
- Date: Wed, 8 Oct 2014 09:26:50 -0700
- To: Albert Lunde <atlunde@panix.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Oct 8, 2014 at 5:25 AM, Albert Lunde <atlunde@panix.com> wrote: > Another side to the questions of TLS ciphers and modes is that pretty much > everything that is a security risk to HTTP/2 > > Is a security risk to HTTP/1.1. In some cases, HTTP/1.1 implementations have had to make tough choices based on the precise framing of their HTTP messages (e.g. what order they send certain HTTP headers in). In some cases, some problems were not fully mitigated because backward compatibility wouldn't allow it and the risk for HTTP/1.1, given its specific on-the-wire properties, was deemed not severe enough to break that compatibility. In fact, it would be a good idea for implementations that are now using SPDY with less restrictive TLS configurations than allowed for HTTP/2 to reconsider whether that is a good idea. Cheers, Brian
Received on Wednesday, 8 October 2014 16:27:17 UTC