- From: Willy Tarreau <w@1wt.eu>
- Date: Tue, 31 Mar 2015 21:06:23 +0200
- To: Maxthon Chan <xcvista@me.com>
- Cc: Roberto Peon <grmocg@gmail.com>, "Walter H." <Walter.H@mathemainzel.info>, HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Apr 01, 2015 at 02:58:31AM +0800, Maxthon Chan wrote: > I mean TLS is mandatory and all communications happens over port 443. However > without authentication any form of encryption is pointless, so the only > difference between http and https here in my suggestion is whether the > certificate is authenticated or not, but keeping TLS intact would allow other > protocol features to be used, like NPN. All of this has been discussed to death 2 years ago already and many cases were provided about a number of situations where this would cause more harm than good. IoT devices were one example where you don't want to spend CPU cycles encrypting. Being able to use the existing infrastructure as it is is another important aspect. Forcing everyone to mix secure and non-secure traffic on the same port doesn't necessarily come without any security/ confidentiality impact. And in my personal opinion, encrypting without authenticating just to let people *feel* they're safe is not a good idea, though I know that many don't share my view on this. Quite frankly, when you want an admin to switch his internal servers to TLS, there's no better solution than providing him with a network capture showing all his activities in clear text. Really. Regards, Willy
Received on Tuesday, 31 March 2015 19:06:55 UTC