W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Zhong Yu <zhong.j.yu@gmail.com>
Date: Thu, 14 Nov 2013 12:00:25 -0600
Message-ID: <CACuKZqF-tKt3MFS4MkQW6_PhxG79W6WuvimOBjEiOEZ=xN02hQ@mail.gmail.com>
To: Willy Tarreau <w@1wt.eu>
Cc: Martin J. Dürst <duerst@it.aoyama.ac.jp>, Rob Trace <Rob.Trace@microsoft.com>, Michael Sweet <msweet@apple.com>, Mike Belshe <mike@belshe.com>, Tao Effect <contact@taoeffect.com>, Tim Bray <tbray@textuality.com>, James M Snell <jasnell@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On Thu, Nov 14, 2013 at 1:21 AM, Willy Tarreau <w@1wt.eu> wrote:
> On Thu, Nov 14, 2013 at 04:07:07PM +0900, "Martin J. Dürst" wrote:
>> If I Rob this correctly, this may mean that a future version of IE will
>> implement HTTP 2.0 without encryption for http: URIs.
>> Next let's say that Apache 3.0 implements HTTP 2.0 which can be
>> configured to run without encryption (after all, Apache is used in
>> internal contexts, too).
>> What's the chance of this *not* leaking out into the open internet and
>> forcing other browser vendors to also allow HTTP 2.0 for http: URIs
>> without encryption? After all, experience has shown that users quickly
>> abandon a browser that doesn't work for some websites, and that browser
>> vendors know about this and try to avoid it.
> And so what ? It's not a problem. Some browsers will likely implement
> it at least with a config option that's disabled by default, and these
> browsers will be the ones picked by developers during their tests,
> because developers pick the browser that makes their life easier.

And web servers also need to have an option to operate HTTP/2.0 on
plain TCP to make dev's life easier. It's difficult to see why
browsers/servers would risk to alienate developers. So most browsers
and servers would end up with the capability of talking HTTP/2.0 over

> Willy
Received on Thursday, 14 November 2013 18:00:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:19 UTC