- From: Ross Nicoll <jrn@jrn.me.uk>
- Date: Wed, 18 Jul 2012 16:22:50 +0100
- To: Tim Bray <tbray@textuality.com>
- CC: Eliot Lear <lear@cisco.com>, Mike Belshe <mike@belshe.com>, Willy Tarreau <w@1wt.eu>, Phillip Hallam-Baker <hallam@gmail.com>, Paul Hoffman <paul.hoffman@gmail.com>, grahame@healthintersections.com.au, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Okay, how about this; if TLS is enforced in HTTP 2.0, I seriously believe it will damage privacy. Users do not care, and will not put the effort required in to do this correctly, meaning self-signed certificates at best or HTTP 1.1 remaining the majority protocol. If self-signed certificates become commonplace, users will instinctively click through the warnings (and move away from browsers that fight them on that), making the current situation actually much worse. Alternatively, users will roll their own TLS-free HTTP 2.0 alternatives and patch Apache, Firefox and Chrome to support it, leading to years/decades of complex supporting of multiple subtly incompatible protocols running over the same ports. I still remember a lot of researchers wondering about how to do multicast file sharing effectively, before BitTorrent came along and worked-around the whole issue using swarmcasting. Sure, it was a horrific protocol that involved publicly announcing that you were downloading a file, but no-one cared, they just cared that it worked. On 18/07/2012 16:09, Tim Bray wrote: > On Wed, Jul 18, 2012 at 6:56 AM, Eliot Lear <lear@cisco.com> wrote: >>> Show me the user that will stand up and say, "Yes, I would like my >>> communications to be snoopable and changeable by 3rd parties without my >>> knowledge." >> >> This is a red herring. The real argument is around the ability of all web >> servers to get certificates > This pattern keeps coming up. > A: “Privacy is good” > B: “No, because the technology is currently too expensive/unreliable” > > Uh... privacy is good. -T >
Received on Wednesday, 18 July 2012 15:23:34 UTC