- From: James M Snell <jasnell@gmail.com>
- Date: Sun, 17 Nov 2013 10:08:04 -0800
- To: ietf-http-wg@w3.org
- Message-ID: <CABP7RbfQCW_J=stN-Jbi3PxqmPkhzakZjNjDG7CgSx=2DFG8gg@mail.gmail.com>
The volume on the other threads on the security subject is causing far too much noise. I have a proposal that offers a compromise approach. I posted about this partially in one of the threads but I'm afraid it got lost in the noise. Others have touched on the same basic idea: 1. By default, assign plain text http/2 to a new port. 2. Document that plaintext http/2 can be sent over port 80 but document the various possible issues with reliability. 3. Strongly recommend that http/2 be sent over TLS instead of plaintext. 4. Establish a new http2 URL protocol prefix for plaintext http2 over the new default port This does several things. A. It makes plaintext http/2 possible but significantly harder. Some. Would argue that makes plaintext http/2 "undeployable"... The same people who have argued that have also argued that plaintext http/2 should not be used at all. Therefore, those people really do not lose anything by following this approach. B. It makes http/2 over TLS the default for the public internet since that's the only option that would be broadly deployable on today's infrastructure. C. It makes it less likely that we would have to deal with the upgrade dance on port 80. Which is a good thing. Http:// URLs would always mean http/1.x. Http2://example:80 would mean http/2 over port 80. D. Developers would be forced to make a conscious choice to use plaintext http/2 over an established default port. There's zero ambiguity. The folks who are arguing for TLS only really lose nothing with this approach. It still, over course, does nothing about the mitm issues on port 443, but its a start. - James
Received on Sunday, 17 November 2013 18:08:31 UTC