- From: patrick mcmanus <pmcmanus@mozilla.com>
- Date: Mon, 26 Mar 2012 09:44:04 +0200
- To: ietf-http-wg@w3.org
On 3/26/2012 7:56 AM, Poul-Henning Kamp wrote: > In message<CAAbTgTu7qbPiREWRRqFddgoko0FCt0jmxR=NP1gqsiARCwscew@mail.gmail.com> > , Brian Pane writes: > >> Nonetheless, I think it would be reasonable for HTTP/2.0 to require SSL. > I think you need to talk to some people with big websites ;-) Existence proofs: google does all of their logged in user search over SSL, Twitter encourages SSL by default, Facebook is widely used that way. It pretty clearly can be done at scale. Its not free, but its worth it. More importantly - no user wants to use an insecure protocol - ever. Web protocol design should serve them first. They have an unmet expectation of privacy and security that we should meet by making the application protocol secure all the time; the mixed- content vulnerabilities of HTTP/1 make that clear to me.
Received on Monday, 26 March 2012 07:44:38 UTC