Re: Moving forward on improving HTTP's security

On Wed, Nov 13, 2013 at 08:21:17AM -0500, Michael Sweet wrote:
> I also believe that HTTP/1.x has been so successful because of its ease (and
> freedom) of implementation. But IMHO restricting its use to https:// will
> only limit its use/deployment to sites/providers that can afford to deploy it
> and prevent HTTP/2.0 from replacing HTTP/1.1 in the long run.

That's a good point. I'd say I know some people who push *terabits* of pink
pixels over the net and who had never heard about HTTP/2 nor SPDY before I
talked to them about it and who still don't see the value there. Just like
they do zero TLS and do not expect to ever use it. So there's a use for
everything.

But I think that we could specify all uses of the protocol (eg: think about
web services running in clear text which would benefit from 2.0) and at the
same time let browsers ship with the default options that suggests use of 2.0
for https:// and 1.1 for http:// just like we've had options in the past to
talk 1.1 or 1.0 to proxies, etc... 

The protocol which will succeed will be the one which does not change the
users' habits while still improving their experience. We need to keep that
in mind. For example, if browsers emit a warning each time a user visits a
porn site that does not enable encryption, the users will keep an older
browser to visit these sites, and these sites will take care of supporting
older browsers, it will be as simple as this!

I think that both Pat and William told us several times that users don't
want to be bothered. It's up to us to meet their expectations :-)

Willy

Received on Wednesday, 13 November 2013 13:55:01 UTC