RE: Moving forward on improving HTTP's security from Mike Bishop on 2013-11-13 (ietf-http-wg@w3.org from October to December 2013)

From: Mike Bishop <Michael.Bishop@microsoft.com>
Date: Wed, 13 Nov 2013 18:57:13 +0000
To: Tao Effect <contact@taoeffect.com>, Martin Thomson <martin.thomson@gmail.com>
CC: "William Chan (陈智昌)" <willchan@chromium.org>, Mike Belshe <mike@belshe.com>, Tim Bray <tbray@textuality.com>, James M Snell <jasnell@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <22b307e3f6c845569fe6a5bb621c2248@BY2PR03MB091.namprd03.prod.outlook.com>

While the language may be strong, I agree with the sentiment that they are distinct mechanisms.  Mark has proposed a mechanism, independent of HTTP/2.0, which can be used to migrate from an HTTP connection to an HTTPS connection.  That’s a separate proposal from HTTP/2.0.  The actual “security” of HTTPS is entirely dependent on TLS and completely orthogonal to HTTP/2.0.

From: Tao Effect [mailto:contact@taoeffect.com]
Sent: Wednesday, November 13, 2013 10:54 AM
To: Martin Thomson
Cc: "William Chan (陈智昌)"; Mike Belshe; Tim Bray; James M Snell; Mark Nottingham; HTTP Working Group
Subject: Re: Moving forward on improving HTTP's security

OK, I agree with this sentiment.

What worries me is the emphasis that I see being placed on HTTP 2.0 being "secure".

Perhaps it is somewhat of a marketing problem, but nevertheless, it's a marketing problem with potentially serious security consequences.

If HTTP/2.0 is flexible enough to allow for very different types of authentication practices than the ones currently done with the PKI/CA system, then I would support it.

Just make it _clear_ then that HTTP/2.0 is not about improving security.

If this is not made crystal clear, then people will continue to see news headlines on tech sites that give people the impression that something is actually being done to improve the internet's security with this "move to HTTP 2.0!", which is horse sh*t.

- Greg

--
Please do not email me anything that you are not comfortable also sharing with the NSA.

On Nov 13, 2013, at 1:47 PM, Martin Thomson <martin.thomson@gmail.com<mailto:martin.thomson@gmail.com>> wrote:

On 13 November 2013 10:42, William Chan (陈智昌) <willchan@chromium.org<mailto:willchan@chromium.org>> wrote:

If there are issues with TLS or the PKI or whatever we're relying on for the
secure channel, let's fix it.

Yes.  We outsource the bulk of HTTP security work to the SEC area
working groups, primarily TLS.  They are acutely aware of the issues
and are working on improving the situation.  Let's concentrate on what
we can do.

Received on Wednesday, 13 November 2013 18:58:01 UTC