Re: Some reasons why mandating use ofSSL for HTTP is a really bad idea from Mike Belshe on 2012-07-18 (ietf-http-wg@w3.org from July to September 2012)

From: Mike Belshe <mike@belshe.com>
Date: Tue, 17 Jul 2012 21:24:09 -0700
To: grahame@healthintersections.com.au
Cc: "Adrien W. de Croy" <adrien@qbik.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CABaLYCuJuHqLAjGWA7poVG1A_5YxbMVAo+A9d9nPrHzp0F-o6g@mail.gmail.com>

On Tue, Jul 17, 2012 at 9:20 PM, Grahame Grieve <grahame@kestral.com.au>wrote:

> > Can you enumerate these?  For debugging, of course it makes sense for
> > endpoints to have unencrypted modes.
>
> oh? but it was going to be mandatory. Except when it's not? which is it?
> If it's mandatory by policy, but not technically actually required,
> then... well..
> I think I know how that will turn out.
>

Naw - this is not a big deal.  For instance, a server can send a NULL
cipher to the client.  In normal modes, browsers will reject the NULL
cipher and not negotiate it.  however, you can use command line flags to
allow it.

We do this all the time.  Another example is for turning on
same-origin-policy.  Browsers often have debugging modes for turning it
off.  You have to run the browser in a special, techie, opt-in way to do
it, but it is there.

I used these all the time when developing in Chrome.

Mike

>
> Grahame
>

Received on Wednesday, 18 July 2012 04:24:37 UTC