Re: Moving forward on improving HTTP's security

The radio far dominates battery life considerations w.r.t IO on mobile
devices, so if we were super worried about that, we'd be working on getting
the best possible compression algorithm for entity-bodies.

I note that with Mark's proposed 'C':
Encryption is not mandatory- one simply uses HTTP/1.1 if one don't want
encryption. Noone is thus forced to do anything: they're not forced to
spend more CPU, etc., unless they believe the benefit outweighs the cost.

Honestly, this is where we are anyway. We don't have the power, even if we
wished it, to throw away HTTP/1.X and so we'll always be competing against
its cost/benefit.

I'm pretty happy with either 'C' or any other proposal that provides strong
downgrade protection.


On Wed, Nov 13, 2013 at 5:56 PM, Frédéric Kayser <> wrote:

> May I ask if encryption is a free operation? or (as I suspect) does it
> impact CPU usage and therefore power consumption on both (servers and
> clients) sides, possibly increasing server rooms electricity bills,
> reducing smartphones autonomy and make F5 Networks stocks surge. I let you
> guess if my preoccupation is self-seeking or rather environmental…
> I thought that HTTP/2 would progressively entirely replace HTTP/1.1 but
> making HTTPS mandatory is probably the best way to keep it around
> indefinitely.
> Tim Bray wrote:
> On Wed, Nov 13, 2013 at 12:01 PM, William Chan (陈智昌) <
>> wrote:
>> * The marginal security benefit of unauthenticated encryption is fairly
>> marginal. Which adversary is this intended to defeat? It might defeat
>> something like Firesheep for now, until tools like that get updated to MITM
>> as well. Does it shift the economics very much on passive pervasive
>> monitoring? What wins do y'all foresee here?
> Shifting the economics on pervasive surveillance seems like the big deal
> to me. It becomes much less attractive for three-letter agencies to just
> collect everything and data-mine it.  MITM-ing on a large scale doesn’t
> sound very practical.
>> * As for downsides, will people read too much into the marginal security
>> benefit and thus think that it's OK not to switch to HTTPS? If so, that
>> would be terrible. It's hard to assess how large this risk is though. Do
>> you guys have thoughts here?
> I agree that’s a risk, but we’re all kind of talking out of our asses here
> because we don’t have any data.  My intuition is that people who actually
> understand the issues will understand the shortcomings of opportunistic and
> not use it where inappropriate, and people who don’t get why they should
> encrypt at all will get some encryption happening anyhow.  But intuition is
> a lousy substitute for data.

Received on Thursday, 14 November 2013 02:11:22 UTC