Re: HTTP without being HTTPS all the time

On Thu, Jul 19, 2012 at 2:48 PM, Peter Saint-Andre <stpeter@stpeter.im> wrote:
> On 7/19/12 3:29 PM, Mike Belshe wrote:
>> On Thu, Jul 19, 2012 at 12:46 PM, Phillip Hallam-Baker <hallam@gmail.com
>> <mailto:hallam@gmail.com>> wrote:
>>
>>     Adam is speaking about the use of HTTP in Web browsing. There is no
>>     question that TLS should always be on for Web browsing.
>>
>>
>> Oh!
>>
>> I'd be happy with this compromise.
>
> At the protocol level, there is no such thing as web browsing vs. web
> services, there's just HTTP. Jeff Hodges likes to talk about web
> applications. [1] Sure, you want your banking app to be TLS-protected
> with HSTS and so on. For visiting your friend's website of cat pictures,
> not so much. They're both "web browsing", but the use cases are totally
> different. Why would we treat them the same?

Mostly because of economies of scale.  We could build entirely
different browsers, protocols, and technologies for banking and for
cat pictures, but there's a lot of value in using the same primitives
for both.  There's a cost in the sense that neither gets exactly the
stack they would have built for themselves, but the benefits of using
commodity infrastructure outweigh those costs.

> And how are they fundamentally different from web services?

Mostly in that they're accessed via web browsers and browser vendors
compete on offering the best security.  It's one of the top things
users care about in choosing a browser, along with speed and
compatibility.

Adam

Received on Friday, 20 July 2012 00:25:36 UTC