Re: Moving forward on improving HTTP's security from Julian Reschke on 2013-11-13 (ietf-http-wg@w3.org from October to December 2013)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 13 Nov 2013 12:03:33 +0100
To: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <52835C85.9080006@gmx.de>

On 2013-11-13 11:01, Mark Nottingham wrote:
> In Vancouver, we continued the discussion that we started in Berlin regarding the use of encryption in HTTP/2.
>
> There seems to be strong consensus to increase the use of encryption on the Web, but there is less agreement about how to go about this.
>
> The most relevant proposals were:
>
> A. Opportunistic encryption for http:// URIs without server authentication -- a.k.a. "TLS Relaxed" as per draft-nottingham-http2-encryption.
>
> B. Opportunistic encryption for http:// URIs with server authentication -- the same mechanism, but not "relaxed", along with some form of downgrade protection.
>
> C. HTTP/2 to only be used with https:// URIs on the "open" Internet. http:// URIs would continue to use HTTP/1 (and of course it would
> still be possible for older HTTP/1 clients to still interoperate with https:// URIs).
>
> In subsequent discussion, there seems to be agreement that (C) is preferable to (B), since it is more straightforward; no new mechanism needs to be specified, and HSTS can be used for downgrade protection.
> ...

I'm really confused now, because I don't think option C) as outlined 
above has actually been discussed.

 From the minutes:

> 727	0) Don't know (yet)
> 728	
> 729	[strong humms for can't live with]
> 730	
> 731	1) Do nothing - hope that hTTPS gets more adoption
> 732	
> 733	[strong humms for can't live with]
> 734	
> 735	2) Opportunistic encryption w/o server authentication for HTTP URIs - just for
> 736	passive attacks
> 737	
> 738	[ less strong for can't live with ]
> 739	
> 740	3) Opportunistic encryption with server authentication AND downgrade protection
> 741	(somehow) for HTTP URIs; no requirement upon HTTP/2.0 when not available
> 742	
> 743	[ weakest for can't live with ]
> 744	
> 745	4) Requre secure underlying protocol for HTTP/2.0 (at least in web browsing)
> 746	
> 747	[ weaker for can't live with ]

Are you saying that 4) == C), and that 4) was about using https only?

Best regards, Julian

Received on Wednesday, 13 November 2013 11:04:20 UTC