W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: (wrong string) 陈智昌 <willchan@chromium.org>
Date: Thu, 14 Nov 2013 10:05:11 -0800
Message-ID: <CAA4WUYj1vAW1XieHdTrB0u=BSazSf9G8piHcDzjs_J7sVJRgtg@mail.gmail.com>
To: Zhong Yu <zhong.j.yu@gmail.com>
Cc: Willy Tarreau <w@1wt.eu>, Martin J. Drst <duerst@it.aoyama.ac.jp>, Rob Trace <Rob.Trace@microsoft.com>, Michael Sweet <msweet@apple.com>, Mike Belshe <mike@belshe.com>, Tao Effect <contact@taoeffect.com>, Tim Bray <tbray@textuality.com>, James M Snell <jasnell@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On Thu, Nov 14, 2013 at 10:00 AM, Zhong Yu <zhong.j.yu@gmail.com> wrote:

> On Thu, Nov 14, 2013 at 1:21 AM, Willy Tarreau <w@1wt.eu> wrote:
> > On Thu, Nov 14, 2013 at 04:07:07PM +0900, "Martin J. Drst" wrote:
> >> If I Rob this correctly, this may mean that a future version of IE will
> >> implement HTTP 2.0 without encryption for http: URIs.
> >>
> >> Next let's say that Apache 3.0 implements HTTP 2.0 which can be
> >> configured to run without encryption (after all, Apache is used in
> >> internal contexts, too).
> >>
> >> What's the chance of this *not* leaking out into the open internet and
> >> forcing other browser vendors to also allow HTTP 2.0 for http: URIs
> >> without encryption? After all, experience has shown that users quickly
> >> abandon a browser that doesn't work for some websites, and that browser
> >> vendors know about this and try to avoid it.
> >
> > And so what ? It's not a problem. Some browsers will likely implement
> > it at least with a config option that's disabled by default, and these
> > browsers will be the ones picked by developers during their tests,
> > because developers pick the browser that makes their life easier.
> And web servers also need to have an option to operate HTTP/2.0 on
> plain TCP to make dev's life easier. It's difficult to see why
> browsers/servers would risk to alienate developers. So most browsers
> and servers would end up with the capability of talking HTTP/2.0 over
> TCP.
Just to be clear, I'm a browser vendor speaking here, representing my own
personal views, but those generally align with the Chromium project. And
no, we don't have plans to support HTTP/2.0 in the clear. Firefox
developers like Pat have said similar things. So you're simply factually
wrong in your assertion about browsers.

> >
> > Willy
> >
> >
Received on Thursday, 14 November 2013 18:05:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:19 UTC