A proposal

The volume on the other threads on the security subject is causing far too
much noise. I have a proposal that offers a compromise approach. I posted
about this partially in one of the threads but I'm afraid it got lost in
the noise. Others have touched on the same basic idea:

1. By default, assign plain text http/2 to a new port.
2. Document that plaintext http/2 can be sent over port 80 but document the
various possible issues with reliability.
3. Strongly recommend that http/2 be sent over TLS instead of plaintext.
4. Establish a new http2 URL protocol prefix for plaintext http2 over the
new default port

This does several things.

A. It makes plaintext http/2 possible but significantly harder. Some. Would
argue that makes plaintext http/2 "undeployable"... The same people who
have argued that have also argued that plaintext http/2 should not be used
at all. Therefore, those people really do not lose anything by following
this approach.

B. It makes http/2 over TLS the default for the public internet since
that's the only option that would be broadly deployable on today's

C. It makes it less likely that we would have to deal with the upgrade
dance on port 80. Which is a good thing. Http:// URLs would always mean
http/1.x. Http2://example:80 would mean http/2 over port 80.

D. Developers would be forced to make a conscious choice to use plaintext
http/2 over an established default port. There's zero ambiguity.

The folks who are arguing for TLS only really lose nothing with this
approach. It still, over course, does nothing about the mitm issues on port
443, but its a start.

- James

Received on Sunday, 17 November 2013 18:08:31 UTC