- From: Mike Belshe <mike@belshe.com>
- Date: Thu, 19 Jul 2012 10:31:38 -0700
- To: httpbis mailing list <ietf-http-wg@w3.org>
Received on Thursday, 19 July 2012 17:32:07 UTC
On the heels of our discussion about "should TLS be mandatory", comes this article from Adam Langley. It's worth a read. Many on this list have advocated that you don't need to secure everything, just the login pages (common practice with HTTP today). Read this article and then ask yourself if that is really true. http://www.imperialviolet.org/2012/07/19/hope9talk.html Mixed modes of sometimes-secure-and-sometimes-not-secure open a slew of attacks that are only solved if you're all TLS all the time. If someone has a better solution, let me know; I don't know of one. Mike
Received on Thursday, 19 July 2012 17:32:07 UTC