Re: Moving forward on improving HTTP's security

Unreliable deployability over port 80 in the open web is well known. See
web devs talking about how to deploy WebSockets: See Google's
websockets experiment: I could
pull up more examples, but you probably get the picture by now. No major
service that operates on the open web *currently* deploys WebSockets over
port 80.

If you need reliable deployment over the open web, then port 80 cleartext
is not acceptable. Period. But if you're OK with double-digit failure rates
(maybe that'll go down to single digit in some future world where HTTP/2
has much wider deployment), then it's fine to deploy HTTP/2 for your
service over port 80 cleartext. But large services generally aren't going
to do this, because such high failure rates leads to lots of lost business.

Private networks are a completely different matter of course.

On Thu, Nov 14, 2013 at 9:46 AM, Zhong Yu <> wrote:

> On Thu, Nov 14, 2013 at 11:34 AM, Patrick McManus <>
> wrote:
> >
> > On Thu, Nov 14, 2013 at 12:13 PM, Zhong Yu <> wrote:
> >>
> >>
> >> If that's the case, WebSocket is also "undeployable" since it tunnels
> >> though port 80 as well.
> >>
> >
> > that's right. The failure rate of cleartext websockets is much higher
> than
> > SSL wss:// websockets. (the failure rate is almost twice as large in
> > firefox). That's a significant part of the driver here. Websockets made a
> > mistake by even specifying cleartext. I was there and I've learned that
> > lesson.
> Would it have been a bigger mistake if WebSocket only works on secure
> channel? Would that encourage or discourage the deployment of
> WebSocket? I think it would definitely have been a deterrent.
> In the current scheme, the service provide can try ws:// first. It
> might work very satisfactorily (e.g. if most users connect from home
> computers). If it does not, the service provider can upgrade to wss://
> without too much hassle.
> >
> > cleartext just doesn't work as, roberto keeps saying.
> Aren't websocket frames masked with random bits?
> >
> > The only question in my mind is whether or not to require a real
> > PKI-as-we-know-it authenticated cert. That has tradeoffs - but at least
> we
> > expect it would operate.
> >

Received on Thursday, 14 November 2013 18:02:10 UTC