W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Re: How to handle HTTP/2 negotiation failure WRT TLS

From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 30 Jan 2014 15:03:53 -0800
Message-ID: <CABkgnnXD=owa1JF5JbWqK9aGE=6sJyGYF2r_wabr1rt-Oy9boA@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: William Chan (陈智昌) <willchan@chromium.org>, Michael Sweet <msweet@apple.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Thu, Jan 30, 2014 at 9:41 AM, William Chan (陈智昌)
<willchan@chromium.org> wrote:
> introduce a potential downgrade attack.

I think that without an actual analysis, sharing "bad feelings" only
really amounts to scaremongering.

True, we want to use HTTP/2 as an inducement for upgrading your TLS
stack.  But so far, I've seen no evidence that HTTP/2 is intrinsically
"more secure" than HTTP/1.1.

If anything, with header compression and coalescing, it's possible
that it could be worse in HTTP/2.  I consider the fact that it is
easier to correctly implement HTTP/2 over HTTP/1.1 as something of a
non-difference, though I will concede that in some cases this has been
an issue.

On 30 January 2014 11:31, Brian Smith <brian@briansmith.org> wrote:
> I agree with you. I think it would be good if we implemented this
> hard-fail behavior before the next interop meeting. Then we will
> really find out if/how the TLS requirements are problematic.

That's why it's in there.
Received on Thursday, 30 January 2014 23:04:21 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:23 UTC