Re: New Version Notification for draft-nottingham-http2-encryption-00.txt

On Tue, Oct 8, 2013 at 1:36 PM, Stephen Farrell
<stephen.farrell@cs.tcd.ie>wrote:

>
>
> On 10/08/2013 09:26 PM, William Chan (陈智昌) wrote:
> > Cold page load
> > ==> GET /index.html (occurs over newly established HTTP/1.X connection)
> > <== index.html + Alt-Svc: http2-tls=:443
> > ==> GET /foo.jpg (Does the user-agent block the foo.jpg fetch on a new
> > HTTP/2 over TLS connection? If so, that's a perf hit, since there's a
> > HTTP/1.X connection warm and ready to go.)
>
> I suspect the interesting questions to ask here relate to whether
> or not that perf hit is needed to meet the security goals, and if
> it is, then what to do about that.
>

Yep, I was just trying to share our experience from Alternate-Protocol,
since it seemed relevant here. It's not clear to me how opportunistic we're
trying to be here in the security improvement, and how much we're willing
to pay the perf hit. I can tell you that before I implemented this racing
for Chromium, we definitely noticed the perf hit, which is why I
implemented it.


>
> Could be in this case, the kind of "turn on crypto after a delay"
> approach you mention might be ok, but to know that, one would have
> to carefully write down the security goals so you could check if
> you're making a boo-boo or not.
>
> Mark's draft is a good start at some of that, but clearly more is
> needed.
>
> S.
>

Received on Tuesday, 8 October 2013 20:44:44 UTC