Re: Concluding discussion on #612 (9.2.2)

On Wed, Oct 8, 2014 at 8:25 AM, Albert Lunde <atlunde@panix.com> wrote:

> Another side to the questions of TLS ciphers and modes is that pretty much
> everything that is a security risk to HTTP/2
>
> Is a security risk to HTTP/1.1.
>
>
>

Brian and Martin have argued against the clarity of exactly that argument
just a couple messages back in this thread. The mux and compression
properties of h2 mean h2 and h1 interact with TLS in different, perhaps
meaningful, ways.

But beyond that, fixing such things in h1 breaks interop with
implementations that were conformant when they were shipped. h2 doesn't
have the same legacy concerns. This is the chance to clear the decks of
legacy-enforced algorithms. We know what that looks like, and draft-14
captures it.

-P

Received on Wednesday, 8 October 2014 13:45:48 UTC