Re: HTTP without being HTTPS all the time

Adam is speaking about the use of HTTP in Web browsing. There is no
question that TLS should always be on for Web browsing.

If you want to write a draft that specifies a set of required security
standards for secure Web browsing it would be very useful and I would
support TLS being a requirement for secure Web browsing (among quite a
few others). Such a standard could be really useful for use in RFPs
for outsourcing Web hosting and it does not need to be tied to HTTP
2.0 at all.

What is being discussed here is HTTP and the HTTP world is much larger
than Web Browsing. In particular there is a whole world of Web
Services where we use other security layers because those give us the
security properties we want while TLS does not. In particular there is
the WS-* stack and JSON encryption and Signature being developed right

I do not want to continue this discussion here because:

1) The chair has asked us not to
2) It is a rat hole
3) The people making this proposal don't seem to want to listen when
it is pointed out that privacy and confidentiality are different
issues in the security world and that the distinction matters a lot.

On Thu, Jul 19, 2012 at 1:31 PM, Mike Belshe <> wrote:
> On the heels of our discussion about "should TLS be mandatory", comes this
> article from Adam Langley.
> It's worth a read.
> Many on this list have advocated that you don't need to secure everything,
> just the login pages (common practice with HTTP today).  Read this article
> and then ask yourself if that is really true.
> Mixed modes of sometimes-secure-and-sometimes-not-secure open a slew of
> attacks that are only solved if you're all TLS all the time.  If someone has
> a better solution, let me know; I don't know of one.
> Mike


Received on Thursday, 19 July 2012 19:47:06 UTC