Re: Moving forward on improving HTTP's security from Gili on 2013-11-14 (ietf-http-wg@w3.org from October to December 2013)

From: Gili <cowwoc@bbs.darktech.org>
Date: Thu, 14 Nov 2013 15:36:03 -0500
To: ietf-http-wg@w3.org
Message-ID: <52853433.5070008@bbs.darktech.org>

It sounds to me like you live in some ivory tower. Most developers suck 
(the average developer is not as smart as you). I've seen plenty of 
cases where debugging code was left in production systems and never 
taken out.

As far as I'm concerned, most developers would pick "easy to debug" over 
"reliable" any day of the week, and I also think saying TLS is required 
for reliability is unfair. There are plenty of "reliable" services out 
there with security holes. That doesn't make them any less "reliable". 
You will never *ever* reach 100% secure, which is why I view security as 
a goal which exists alongside but separate from reliability.

Gili

On 14/11/2013 2:58 PM, Roberto Peon wrote:
>
> Which devs?
>
> Most developers that I know will choose "reliable" over "easy to 
> debug" any day of the week. It is not pleasant dealing with 
> heisenbugs. It is better to not have to debug.
>
> In locales where one knows that http2 can work effectively in the 
> clear, e.g. corporate LANs, one will be able to do so.
>
> -=R
> On Nov 14, 2013 8:02 AM, "Zhong Yu" <zhong.j.yu@gmail.com 
> <mailto:zhong.j.yu@gmail.com>> wrote:
> >
> > On Thu, Nov 14, 2013 at 1:21 AM, Willy Tarreau <w@1wt.eu 
> <mailto:w@1wt.eu>> wrote:
> > > On Thu, Nov 14, 2013 at 04:07:07PM +0900, "Martin J. Dürst" wrote:
> > >> If I Rob this correctly, this may mean that a future version of 
> IE will
> > >> implement HTTP 2.0 without encryption for http: URIs.
> > >>
> > >> Next let's say that Apache 3.0 implements HTTP 2.0 which can be
> > >> configured to run without encryption (after all, Apache is used in
> > >> internal contexts, too).
> > >>
> > >> What's the chance of this *not* leaking out into the open 
> internet and
> > >> forcing other browser vendors to also allow HTTP 2.0 for http: URIs
> > >> without encryption? After all, experience has shown that users 
> quickly
> > >> abandon a browser that doesn't work for some websites, and that 
> browser
> > >> vendors know about this and try to avoid it.
> > >
> > > And so what ? It's not a problem. Some browsers will likely implement
> > > it at least with a config option that's disabled by default, and these
> > > browsers will be the ones picked by developers during their tests,
> > > because developers pick the browser that makes their life easier.
> >
> > And web servers also need to have an option to operate HTTP/2.0 on
> > plain TCP to make dev's life easier. It's difficult to see why
> > browsers/servers would risk to alienate developers. So most browsers
> > and servers would end up with the capability of talking HTTP/2.0 over
> > TCP.
> >
> >
> > >
> > > Willy
> > >
> > >
> >
>

Received on Thursday, 14 November 2013 20:36:40 UTC