- From: patrick mcmanus <pmcmanus@mozilla.com>
- Date: Mon, 26 Mar 2012 13:39:15 +0200
- To: ietf-http-wg@w3.org
On 3/26/2012 12:41 PM, Henry Story wrote: > > Having said that to cater for use cases where security is not an issue, yet > to make sure that the groups working on SPDY to do not forget security, I think > having SSL be opt out that is a good idea. It satisfies both use cases, but > helps make sure the groups communicate more closely than they would otherwise do. none of this needs to be decided now, of course. But having any path for mixed-content (e.g. https html with http scripts or even images) is potentially troublesome - we've seen that repeatedly for the last 10 years. Content owners do not understand the risks they are exposing their users to by using insecure protocols. The web would be better without that vector. I know that not every use case is about the web, but it seems at least plausible that the best path is to secure everything rather than relying on the deployer's judgment which has a bad failure mode.
Received on Monday, 26 March 2012 11:39:47 UTC