2 questions


I have 2 questions, if I may.

1. What were the reasons for HTTP/2 not requiring TLS?

Is there a significant performance consideration, is it related to the cost of certificates (which is now fairly low or even free), or are there other technical reasons?

It would be nice if the web was just "secure by default", and I would have thought that now would be the right time to move in that direction.

Also, at least 2 of the major browser vendors have said that they won't be supporting HTTP/2 without TLS, so surely no one is going to want to run their website without it?

2. Are the BREACH and CRIME exploits still applicable, especially with regard to content (body) compression? If so, does that mean that it's not possible to compress content (with gzip, for example) and still maintain security?

Please respond as if I were a layman, as my knowledge on these subjects is somewhat limited.


Received on Saturday, 28 March 2015 20:11:32 UTC