W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: http2 opportunistic security negotiation

From: Patrick McManus <pmcmanus@mozilla.com>
Date: Tue, 10 Feb 2015 17:47:09 -0500
Message-ID: <CAOdDvNryHpJ=GR2GJn3pxcL+FRVDKLJSs38wYd5wFUvGy3x3Eg@mail.gmail.com>
To: Erik Nygren <erik@nygren.org>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
I might be under-thinking this one.... but it occurs to me its possible to
not put the tls version of the site on 443 if there is no https:// version
of the site.. oe doesn't require a particular port number and 443 seems
like the wrong choice if https:// isn't available. too simplistic?

On Thu, Feb 5, 2015 at 10:08 AM, Erik Nygren <erik@nygren.org> wrote:

> While digging further into server-side implementation details of the
> current opportunistic security draft, we identified a user experience
> problem.  In particular, for a site that has Virtual Hosts which are
> HTTP-only (ie, there is no valid certificate for them), there is no way in
> the current proposal to both support Opportunistic Security  (negotiate h2
> for http scheme over TLS without a necessarily valid certificate) without
> also giving users accidentally typing in https URIs a certificate mismatch
> interstitial they'd be prompted to click through.
>
Received on Tuesday, 10 February 2015 22:47:33 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:49 UTC