W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: New Version Notification for draft-nottingham-http2-encryption-03.txt

From: (wrong string) 陈智昌 <willchan@chromium.org>
Date: Tue, 20 May 2014 15:55:42 -0700
Message-ID: <CAA4WUYhXw--Ugjc2f2sxJWVq0y67p+NvWVog1TewWB9+1qGzsA@mail.gmail.com>
To: Martin Nilsson <nilsson@opera.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Tue, May 20, 2014 at 3:45 PM, Martin Nilsson <nilsson@opera.com> wrote:

> On Tue, 20 May 2014 18:54:22 +0200, Martin Thomson <
> martin.thomson@gmail.com> wrote:
>> Maybe there's a case for further highlighting the distinction we want
>> to retain, at least at the broadest level of generality: https ==
>> secure, http == not.  That is the point of Section 6.1, but I might be
>> convinced that repetition of this is necessary.
> I assume that the set of ciphers you negotiate from would be the same here
> as for https. The performance difference isn't big, and you minimize your
> traffic analysis footprint by not having different TLS parameters for http
> and https URLs. Given this the only possible difference are the
> certificates, and they will be the same for http as https users of a
> specific site. So in practice there will be no difference between the
> actual connections for http and https in many cases. Should you still not
> show any security indicators in the UI?

Transport security is very different from web security. For example, only
some of the resources in a webpage may be opportunistically encrypted with
strong authentication. If there's active content like script that's loaded
without transport security, that can compromise the entire page. Pages
loaded using opportunistic encryption definitely do not deserve the same
security indicator as an https:// page. One might argue that they deserve
something better than nothing, but explaining this difference to users is
quite difficult already, so it seems inadvisable to further muddy the
distinction by introducing a middle ground security indicator.

> /Martin Nilsson
> --
> Using Opera's revolutionary email client: http://www.opera.com/mail/
Received on Tuesday, 20 May 2014 22:56:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:30 UTC