Re: New Version Notification for draft-nottingham-http2-encryption-03.txt

On 20/05/14 23:45, Martin Nilsson wrote:
> On Tue, 20 May 2014 18:54:22 +0200, Martin Thomson
> <martin.thomson@gmail.com> wrote:
> 
>>
>> Maybe there's a case for further highlighting the distinction we want
>> to retain, at least at the broadest level of generality: https ==
>> secure, http == not.  That is the point of Section 6.1, but I might be
>> convinced that repetition of this is necessary.
>>
> 
> I assume that the set of ciphers you negotiate from would be the same
> here as for https. The performance difference isn't big, and you
> minimize your traffic analysis footprint by not having different TLS
> parameters for http and https URLs. Given this the only possible
> difference are the certificates, and they will be the same for http as
> https users of a specific site. So in practice there will be no
> difference between the actual connections for http and https in many
> cases. Should you still not show any security indicators in the UI?

Yes. If opportunistic, then e.g. it'd be ok to defer cert validation
thus being partly MiTM'able in some cases for some (maybe short) period.
But a short period is just fine for some bad actors.

S.


> 
> /Martin Nilsson
> 

Received on Tuesday, 20 May 2014 22:52:08 UTC