RE: HTTP/2 and Pervasive Monitoring from Albert Lunde on 2014-08-15 (ietf-http-wg@w3.org from July to September 2014)

From: Albert Lunde <atlunde@panix.com>
Date: Fri, 15 Aug 2014 08:08:08 -0500
To: <ietf-http-wg@w3.org>
Message-ID: <01c101cfb889$f7814bf0$e683e3d0$@panix.com>

>What you can do in an MITM scenario isn't really relevant to PM. It's still harder to MITM weak TLS than clear text.
>
>I think it is more worrisome having the weak ciphers in there at all, as it opens up for bad configurations and downgrade attacks of https connections.

Outside the realm of standards, the print edition of "Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications" by Ivan Ristic just shipped(as in I expect to get a copy from Amazon later today) The chapter on OpenSSL has been available for a while, and helped me with some recent issues.

Received on Friday, 15 August 2014 13:08:29 UTC