- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Thu, 14 Nov 2013 17:02:03 +0000
- To: Michael Sweet <msweet@apple.com>, Nicolas Mailhot <nicolas.mailhot@laposte.net>
- CC: Willy Tarreau <w@1wt.eu>, Mike Belshe <mike@belshe.com>, "William Chan (?????????)" <willchan@chromium.org>, Tao Effect <contact@taoeffect.com>, Tim Bray <tbray@textuality.com>, James M Snell <jasnell@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Just on two points... On 11/14/2013 04:41 PM, Michael Sweet wrote: > The point of all this is just that adding/requiring TLS for HTTP/2.0 > does not, by itself, make HTTP/2.0 more secure, Adding even opportunistic encryption does make things more secure. Nobody sensible said anything makes things "secure" without some qualification. > and that deploying > TLS properly is not as simple as clicking a button. Last week the > prevailing assumption was that “active attacks are too expensive”, That's not correct. Lots of discussion last week related to making pervasive attacks more expensive which is very different to the above. For example active attacks are much more detectable and hence riskier which is very different. Having said that I do agree that the printer/device-as-server issue is a real one. S > but in the last couple days we have discovered that assumption is not > correct and that MITM proxies are widely deployed already.
Received on Thursday, 14 November 2013 17:02:27 UTC