- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Thu, 30 Jan 2014 15:03:53 -0800
- To: Brian Smith <brian@briansmith.org>
- Cc: William Chan (陈智昌) <willchan@chromium.org>, Michael Sweet <msweet@apple.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Thu, Jan 30, 2014 at 9:41 AM, William Chan (陈智昌) <willchan@chromium.org> wrote: > introduce a potential downgrade attack. I think that without an actual analysis, sharing "bad feelings" only really amounts to scaremongering. True, we want to use HTTP/2 as an inducement for upgrading your TLS stack. But so far, I've seen no evidence that HTTP/2 is intrinsically "more secure" than HTTP/1.1. If anything, with header compression and coalescing, it's possible that it could be worse in HTTP/2. I consider the fact that it is easier to correctly implement HTTP/2 over HTTP/1.1 as something of a non-difference, though I will concede that in some cases this has been an issue. On 30 January 2014 11:31, Brian Smith <brian@briansmith.org> wrote: > I agree with you. I think it would be good if we implemented this > hard-fail behavior before the next interop meeting. Then we will > really find out if/how the TLS requirements are problematic. That's why it's in there.
Received on Thursday, 30 January 2014 23:04:21 UTC