- From: Eliot Lear <lear@cisco.com>
- Date: Wed, 18 Sep 2013 06:38:21 +0200
- To: Mark Nottingham <mnot@mnot.net>
- CC: IETF HTTP WG <ietf-http-wg@w3.org>
Hi Mark, +1 And indeed there may be some more text that could be added. I am specifically thinking about attacks where something sent in the clear over HTTP can be analyzed and used to gain access to something that is protected by TLS. Eliot On 9/18/13 3:30 AM, Mark Nottingham wrote: > HTTP/1.1 does not make any particular security mechanism -- including encryption -- Mandatory to Implement, as its deployment pre-dated [RFC3631]. Nevertheless, servers ought to carefully consider the privacy implications of using HTTP without encryption (i.e., using TLS [RFC2818]), preferring its use where there is any potential for access to be considered sensitive. > > --->8--- > > Regards, > > -- > Mark Nottingham http://www.mnot.net/ > > > > > >
Received on Wednesday, 18 September 2013 04:38:52 UTC