Re: HTTP without being HTTPS all the time

On 7/19/12 3:29 PM, Mike Belshe wrote:
> 
> 
> On Thu, Jul 19, 2012 at 12:46 PM, Phillip Hallam-Baker <hallam@gmail.com
> <mailto:hallam@gmail.com>> wrote:
> 
>     Adam is speaking about the use of HTTP in Web browsing. There is no
>     question that TLS should always be on for Web browsing.
> 
> 
> Oh!
> 
> I'd be happy with this compromise.

At the protocol level, there is no such thing as web browsing vs. web
services, there's just HTTP. Jeff Hodges likes to talk about web
applications. [1] Sure, you want your banking app to be TLS-protected
with HSTS and so on. For visiting your friend's website of cat pictures,
not so much. They're both "web browsing", but the use cases are totally
different. Why would we treat them the same? And how are they
fundamentally different from web services?

Peter

[1] https://datatracker.ietf.org/doc/draft-hodges-websec-framework-reqs/

Received on Thursday, 19 July 2012 21:49:10 UTC