W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: New Version Notification for draft-nottingham-http2-encryption-03.txt

From: Martin Nilsson <nilsson@opera.com>
Date: Wed, 21 May 2014 00:45:00 +0200
To: ietf-http-wg@w3.org
Message-ID: <op.xf6j5aubiw9drz@uranium.oslo.osa>
On Tue, 20 May 2014 18:54:22 +0200, Martin Thomson  
<martin.thomson@gmail.com> wrote:

> Maybe there's a case for further highlighting the distinction we want
> to retain, at least at the broadest level of generality: https ==
> secure, http == not.  That is the point of Section 6.1, but I might be
> convinced that repetition of this is necessary.

I assume that the set of ciphers you negotiate from would be the same here  
as for https. The performance difference isn't big, and you minimize your  
traffic analysis footprint by not having different TLS parameters for http  
and https URLs. Given this the only possible difference are the  
certificates, and they will be the same for http as https users of a  
specific site. So in practice there will be no difference between the  
actual connections for http and https in many cases. Should you still not  
show any security indicators in the UI?

/Martin Nilsson

Using Opera's revolutionary email client: http://www.opera.com/mail/
Received on Tuesday, 20 May 2014 22:45:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:30 UTC