Re: How HTTP 2.0 mandatory security will actually reduce my personal security


On 11/15/2013 05:38 PM, Roberto Peon wrote:
> *sigh*

Sorry to be so predictable:-)

> So, Stephen, do you support using encryption or not, and can we move that
> discussion to a separate thread?

I very much support using encryption.

I'm ok with mnot's plan, if there's work done to
tackle how to get server certs for web sites and
devices, but am worried that'll not happen or
will fail to help.

I'd really liked the idea of http:// URIs via
unauthenticated TLS for HTTP/2.0 and am a bit
sad that's being punted down the road. I do
see that that's complicated for mixed-content,
maybe even fatally complicated.

I'm very very against TLS MITM proposals.

But I do think that's all been said. I hadn't
seen the scale of impact of TLS MITM called out
that way, which is why I posted.


> -=R
> On Fri, Nov 15, 2013 at 9:24 AM, Stephen Farrell
> <>wrote:
>> Hi,
>> On 11/15/2013 05:18 PM, Roberto Peon wrote:
>>> and even
>>> submitted and contributed to a couple of drafts on the topic.
>> I don't know if you mean a TLS MITM proposal or something
>> else.
>> In the former case, please accompany any such proposal with
>> an analysis of the set of 176 RFCs [1] that reference 5246
>> and the 91 that refer to 4246 [2] and the 167 that refer to
>> 2246 [3] to demonstrate that MITM'ing all of those is a good
>> and safe plan. And of course that ignores the non-IETF things
>> that might use TLS, which I'm sure is some medium sized
>> chunk of the 1573 [4] references that google scholar throws
>> up.
>> Thanks, (or rather, "No, thanks"),
>> S.
>> [1]
>> [2]
>> [3]
>> [4]

Received on Friday, 15 November 2013 17:55:25 UTC