No objection, but in Vancouver, there seemed to be quite a few voices saying that trying for opportunistic encryption, even of http:-scheme connections, was a good idea if technically achievable. I’d certainly be in favor. On Thu, Nov 14, 2013 at 11:32 PM, Roberto Peon <grmocg@gmail.com> wrote: > For 1,2: How is this not orthogonal to the rest of the discussion? > For 3: I'm assuming you mean because the data is encrypted. You can MITM > this. > > Just to be sure we're all on the same page here (because it seems that > we're not):. > As I understand it, the proposal is: > For web activity on the "open internet", if the scheme is https, > attempt to use http/2 over an encrypted, authenticated channel. > For web activity on the "open internet", if the scheme is http, use > http/1 over an unencrypted, plaintext channel. > For activity on a private network: use any combination of > {authenticated, unauthenticated}{encrypted, unencrypted}{http2,http1} you > desire. > > Is there an objection to this? > -=R > > > On Thu, Nov 14, 2013 at 11:16 PM, Nicolas Mailhot < > nicolas.mailhot@laposte.net> wrote: > >> >> Le Ven 15 novembre 2013 07:57, Roberto Peon a écrit : >> > What is your threat model? >> >> The threat model is >> 1. developer that makes information leak trough incompetence, laziness, >> sloppiness or greed (cf all the info your average android app wants to >> access) >> 2. attacker that does not need to penetrate target anymore can just >> collect the leaked info at endpoints (see also: Snowden) >> 3. protocol that prevents anyone doing anything about it by default >> >> -- >> Nicolas Mailhot >> >> >Received on Friday, 15 November 2013 07:36:40 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:38 UTC