W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: HTTP 2.0 mandatory security vs. Amateur Radio

From: Roberto Peon <grmocg@gmail.com>
Date: Fri, 15 Nov 2013 00:14:01 -0800
Message-ID: <CAP+FsNfRWK4pVvGxhwkfcYuhxS=bjM7mUhTMTRKSEM1=mPvUgg@mail.gmail.com>
To: Bruce Perens <bruce@perens.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Thu, Nov 14, 2013 at 11:58 PM, Bruce Perens <bruce@perens.com> wrote:

>  On 11/14/2013 11:49 PM, Roberto Peon wrote:
>  When I think about how we got here, I'm fairly certain that there is no
> MUST we could put into a document or spec, and there is no social
> engineering that would have prevented us from reaching the state that we're
> in today w.r.t. middleboxes.
> It seems to me that the major employment of firewall rules is to protect
> from the unknown. We don't know what legitimate traffic would ever be on
> that port, so we block it.
> It is a solvable task to teach that this practice breaks the internet, and
> to promote better practices. I don't see that it would be impossible to do
> this with MUST rules in a specification, although that isn't the only means
> available.
> The problem of port 80 traffic being handled incorrectly becomes much less
> important if other ports are available.

Sure, I agree with the premise that we'd be in a better state if ports were
But that seems like an educational problem, not a mechanical problem, and
as such I am dubious about it being solvable in any near or medium-term
timeframe (it takes 5+ years to get hardware replaced normally, I think?),
assuming it is solvable at all.
(Looking at education for even simpler things, apparently education is an
extremely difficult problem...)

I am in no way opposed to people trying to go down that path, of course...

Received on Friday, 15 November 2013 08:14:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:19 UTC