- From: Yoav Nir <ynir@checkpoint.com>
- Date: Sun, 10 Nov 2013 21:29:41 +0000
- To: Julian Reschke <julian.reschke@gmx.de>
- CC: HTTP Working Group <ietf-http-wg@w3.org>, Peter Lepeska <bizzbyster@gmail.com>, Tim Bray <tbray@textuality.com>, Mark Nottingham <mnot@mnot.net>
On Nov 10, 2013, at 11:53 AM, Julian Reschke <julian.reschke@gmx.de> wrote: > On 2013-11-10 05:11, Yoav Nir wrote: >> I'm stumped about #3 myself. >> >> The literal interpretation is that you follow (or type in) an http:// >> link, get a response, and in the response learn that this is also >> available with SSL. So the client attempts to upgrade to SSL, and >> receives a valid certificate. So, yay! >> >> But in that case, why is the http:// link out there at all, and if >> anybody types it in, why not immediately redirect to https:// as pretty >> much all sites using SSL do? > > Redirecting means changing the URI (bookmarks etc), and also implies running the service both on port 80 and 443. Right. But that's a good thing for a site with a valid certificate, no? Even port 80 doesn't have the same service as port 443, but just something that redirects all requests to the https equivalent. I just don't see why opportunistic encryption is useful for sites with a valid certificate. I think OE is needed for the 70% of websites ([1]) that don't have a valid certificate. Yoav [1] http://w3techs.com/technologies/overview/ssl_certificate/all
Received on Sunday, 10 November 2013 21:30:28 UTC