Re: Mandatory encryption

Okay, how about this; if TLS is enforced in HTTP 2.0, I seriously 
believe it will damage privacy. Users do not care, and will not put the 
effort required in to do this correctly, meaning self-signed 
certificates at best or HTTP 1.1 remaining the majority protocol. If 
self-signed certificates become commonplace, users will instinctively 
click through the warnings (and move away from browsers that fight them 
on that), making the current situation actually much worse.

Alternatively, users will roll their own TLS-free HTTP 2.0 alternatives 
and patch Apache, Firefox and Chrome to support it, leading to 
years/decades of complex supporting of multiple subtly incompatible 
protocols running over the same ports.

I still remember a lot of researchers wondering about how to do 
multicast file sharing effectively, before BitTorrent came along and 
worked-around the whole issue using swarmcasting. Sure, it was a 
horrific protocol that involved publicly announcing that you were 
downloading a file, but no-one cared, they just cared that it worked.

On 18/07/2012 16:09, Tim Bray wrote:
> On Wed, Jul 18, 2012 at 6:56 AM, Eliot Lear <> wrote:
>>> Show me the user that will stand up and say, "Yes, I would like my
>>> communications to be snoopable and changeable by 3rd parties without my
>>> knowledge."
>> This is a red herring.  The real argument is around the ability of all web
>> servers to get certificates
> This pattern keeps coming up.
> A: “Privacy is good”
> B: “No, because the technology is currently too expensive/unreliable”
> Uh... privacy is good.  -T

Received on Wednesday, 18 July 2012 15:23:34 UTC