Re: HTTP 2.0 mandatory security vs. Amateur Radio from Roberto Peon on 2013-11-15 (ietf-http-wg@w3.org from October to December 2013)

From: Roberto Peon <grmocg@gmail.com>
Date: Thu, 14 Nov 2013 23:05:25 -0800
To: Bruce Perens <bruce@perens.com>
Cc: Ryan Hamilton <rch@google.com>, David Morris <dwm@xpasc.com>, James Snell <jasnell@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>, Julian Reschke <julian.reschke@gmx.de>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <CAP+FsNeDoyL5-fr_fHzetw=jv0Tqazw_Lr09fsG2j0Zr98UdbQ@mail.gmail.com>

The technical problem is that entities are attempting to be helpful
(sometimes attempting to help the users, and some attempt to help
themselves), and are either failing to adapt with the protocol, or failing
to properly implement it.
Given that putting everything under one roof is infeasible/impossible (the
internet spans many different jurisdictions/countries), and given that we
cannot dictate what people deploy or not, the one technical approach that
has the highest chance of success is the one where content is encrypted.
Do I love this? Nah. But I've been unable to come up with a better plan
that would work. Can you come up with a plan that will work reliably?

-=R

On Thu, Nov 14, 2013 at 4:41 PM, Bruce Perens <bruce@perens.com> wrote:

>  On 11/14/2013 04:28 PM, Ryan Hamilton wrote:
>
>
>  Plain-text HTTP/1 is reliable (as Roberto said).  However plain-text of
> any other protocol on port 80 (WebSockets, HTTP/2.x etc) is *not* reliable
> because of middle boxes that attempt to process that traffic as HTTP/1.
>
> Nothing new will ever work unless we tunnel it opaquely through port 443.
>
> And who thinks this is sustainable?
>
> We should either work out how we can go forward, or put the phone company
> back in charge and get everything from one source again.
>
>     Thanks
>
>     Bruce
>

Received on Friday, 15 November 2013 07:05:52 UTC