Re: Moving forward on improving HTTP's security from Patrick McManus on 2013-11-14 (ietf-http-wg@w3.org from October to December 2013)

From: Patrick McManus <pmcmanus@mozilla.com>
Date: Thu, 14 Nov 2013 12:34:19 -0500
To: Zhong Yu <zhong.j.yu@gmail.com>
Cc: Roberto Peon <grmocg@gmail.com>, Frédéric Kayser <f.kayser@free.fr>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAOdDvNr=eSYjHK-E5BB7F9ZbX8rL+rH=M2091feSNgeK75t1qA@mail.gmail.com>

On Thu, Nov 14, 2013 at 12:13 PM, Zhong Yu <zhong.j.yu@gmail.com> wrote:

>
> If that's the case, WebSocket is also "undeployable" since it tunnels
> though port 80 as well.
>
>
that's right. The failure rate of cleartext websockets is much higher than
SSL wss:// websockets. (the failure rate is almost twice as large in
firefox). That's a significant part of the driver here. Websockets made a
mistake by even specifying cleartext. I was there and I've learned that
lesson.

cleartext just doesn't work as, roberto keeps saying.

The only question in my mind is whether or not to require a real
PKI-as-we-know-it authenticated cert. That has tradeoffs - but at least we
expect it would operate.

Received on Thursday, 14 November 2013 17:34:47 UTC