On Fri, Sep 5, 2014 at 6:56 AM, Greg Wilkins <gregw@intalio.com> wrote: > > > If the ciphers are inadequate for h2, then why aren't they inadequate for > http/1, spdy and > other protocols the ALPN might list? > they might well be inadequate for all those protocols, but we accept them for the sake of backwards compatibility. (basically the same reason we accept http:// urls at all). h2 is an opportunity to update to current best practice. If you design a pure h2 service you can be more confident in its security properties.
Received on Friday, 5 September 2014 12:05:32 UTC