Re: Moving forward on improving HTTP's security

Hello Martin,

On Thu, Nov 14, 2013 at 07:49:17PM +0900, "Martin J. Dürst" wrote:
> >And so what ? It's not a problem. Some browsers will likely implement
> >it at least with a config option that's disabled by default, and these
> >browsers will be the ones picked by developers during their tests,
> >because developers pick the browser that makes their life easier.
> Sorry I wasn't clear enough. What I meant was: Does it make sense, as 
> Mark proposed at the start of this thread, to rely on browsers to not 
> implement HTTP 2.0 over the clear, if one of the major browser makers is 
> already saying they won't follow?

He didn't propose this, he proposed that it's not *used* by default, which
is very different. I think this is what could drive TLS adoption up the
most reasonable way without making it a blind requirement with all the
downsides that can be expectd.

> Of course for you or me that's not a problem because we are not strongly 
> insisting on HTTP 2.0 over TLS only.

You know, I'm for not deciding for others what's best for them. Engineers
design and propose, users adopt, and the most suited design wins (and
rarely the best).


Received on Thursday, 14 November 2013 11:19:32 UTC