W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: HTTP/2 and Pervasive Monitoring

From: Eliot Lear <lear@cisco.com>
Date: Fri, 15 Aug 2014 14:27:53 +0200
Message-ID: <53EDFCC9.1080606@cisco.com>
To: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Hi Mark,

Just on these two points, taken together:

On 8/15/14, 4:58 AM, Mark Nottingham wrote:
> One proposal we considered was to require the use of TLS (through https:// URIs) for HTTP/2. However, some members of the community pushed back against this, on the grounds that it would be too onerous for some uses of HTTP (not necessarily CPU; cost and administration of certificates was cited as a burden, as was the follow-on disruption to applications, since transitioning from HTTP to HTTPS often requires non-trivial content changes, due to the way that the browser security model works).
> We also discussed an "Opportunistic Security" approach to using TLS for http:// URIs (but without authentication). This was a bit controversial too, as some community members felt that having another, weaker kind of security defined harms the long-term deployment of "full" TLS. 

Some of us have been a little nervous about the spread of infections due
to encryption with unauthenticated endpoints, making it a bit more of a
pain for in-path virus checkers and such.  That was raised several
times.  You saw data published to this list from Cisco saying that this
wasn't really a problem when the server had a valid cert.


Received on Friday, 15 August 2014 12:28:29 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:10 UTC