I might be under-thinking this one.... but it occurs to me its possible to not put the tls version of the site on 443 if there is no https:// version of the site.. oe doesn't require a particular port number and 443 seems like the wrong choice if https:// isn't available. too simplistic? On Thu, Feb 5, 2015 at 10:08 AM, Erik Nygren <erik@nygren.org> wrote: > While digging further into server-side implementation details of the > current opportunistic security draft, we identified a user experience > problem. In particular, for a site that has Virtual Hosts which are > HTTP-only (ie, there is no valid certificate for them), there is no way in > the current proposal to both support Opportunistic Security (negotiate h2 > for http scheme over TLS without a necessarily valid certificate) without > also giving users accidentally typing in https URIs a certificate mismatch > interstitial they'd be prompted to click through. >Received on Tuesday, 10 February 2015 22:47:33 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:49 UTC