- From: Patrick McManus <pmcmanus@mozilla.com>
- Date: Tue, 10 Feb 2015 17:47:09 -0500
- To: Erik Nygren <erik@nygren.org>
- Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Received on Tuesday, 10 February 2015 22:47:33 UTC
I might be under-thinking this one.... but it occurs to me its possible to not put the tls version of the site on 443 if there is no https:// version of the site.. oe doesn't require a particular port number and 443 seems like the wrong choice if https:// isn't available. too simplistic? On Thu, Feb 5, 2015 at 10:08 AM, Erik Nygren <erik@nygren.org> wrote: > While digging further into server-side implementation details of the > current opportunistic security draft, we identified a user experience > problem. In particular, for a site that has Virtual Hosts which are > HTTP-only (ie, there is no valid certificate for them), there is no way in > the current proposal to both support Opportunistic Security (negotiate h2 > for http scheme over TLS without a necessarily valid certificate) without > also giving users accidentally typing in https URIs a certificate mismatch > interstitial they'd be prompted to click through. >
Received on Tuesday, 10 February 2015 22:47:33 UTC