- From: Willy Tarreau <w@1wt.eu>
- Date: Thu, 19 Jul 2012 20:49:24 +0200
- To: Mike Belshe <mike@belshe.com>
- Cc: httpbis mailing list <ietf-http-wg@w3.org>
Hi Mike, On Thu, Jul 19, 2012 at 10:31:38AM -0700, Mike Belshe wrote: > On the heels of our discussion about "should TLS be mandatory", comes this > article from Adam Langley. > > It's worth a read. > > Many on this list have advocated that you don't need to secure everything, > just the login pages (common practice with HTTP today). Read this article > and then ask yourself if that is really true. > > http://www.imperialviolet.org/2012/07/19/hope9talk.html > > Mixed modes of sometimes-secure-and-sometimes-not-secure open a slew of > attacks that are only solved if you're all TLS all the time. If someone > has a better solution, let me know; I don't know of one. Thanks for the link. As usual, Adam gave a nice description there, and I'm sure many of us are aware of the issues he describes. I'm among those who consider that having only some pages of a site secured is dangerous. Either the site is clear or it's not. But this is not http vs https, it's orthogonal, in fact it's https only vs mixed http/https. The article is clearly aimed at https-enabled sites, and does not mean that all sites need https (it even says the opposite BTW). Regards, Willy
Received on Thursday, 19 July 2012 18:49:51 UTC