Re: SPDY = HTTP/2.0 or not ? from Robert Collins on 2012-03-27 (ietf-http-wg@w3.org from January to March 2012)

From: Robert Collins <robertc@squid-cache.org>
Date: Tue, 27 Mar 2012 13:58:53 +1300
To: Mark Watson <watsonm@netflix.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CAJ3HoZ1utUcsQmBf_cDpvJMMPRf7m2pqGKrXQ=56S+FCQ39tog@mail.gmail.com>

On Tue, Mar 27, 2012 at 10:22 AM, Mark Watson <watsonm@netflix.com> wrote:
> Hi everyone,
>
> On the question of security, as a fairly heavy user of HTTP, at Netflix we're very interested in security for the content we distribute, but we are interested in end-to-end security. The cache server that terminates our HTTP connections in not an "end" in this context. Our encoding/packaging servers are. As a result, our media files are themselves protected in various ways and so it would be unnecessary (and expensive) to transfer them over TLS.
>
> So, this is to say, do not equate security with transport layer security. Security may be essential, but this does not always mean that transport layer security is essential. Netflix at least would fall into the category of companies that would not use HTTP2.0 if TLS was mandated.
>
> …Mark

Would -not use- or would be slightly disinclined to use? And if you
really wouldn't use it, could you expand on why? From my perspective,
even hop by hop encryption offers privacy that plain text does not -
and when you say 'security' you may mean 'message integrity' or 'only
viewable by intended recipient' or 'transaction is private' - these
are all different things, and only the last one is delivered by
SSL/TLS: message integrity is a layer above (e.g. hash
checking/self-describing formats, limiting viewing to the intended
receipient requires DRM or similar machinations (otherwise the
recipient can just copy the content to their friends - its not a
transport problem at all).

If, as I suspect you care about the intended recipient aspect only,
consider that some of your users may consider which videos they watch
a private matter between you and them, not something for their ISP,
their neighbours, or the person war-driving past their place, to know
about.

So -> there may be a pragmatic cost overhead in TLS which offers
marginal benefits to your environment, but OTOH you would be
delivering something that you currently do not, and which your users
might indeed care about.

-Rob

Received on Tuesday, 27 March 2012 00:59:25 UTC