- From: Constantine A. Murenin <cnst@NetBSD.org>
- Date: Sat, 28 Mar 2015 18:19:30 -0700
- To: Glen <glen.84@gmail.com>
- CC: ietf-http-wg@w3.org
On 2015-03-28 7:43, Glen wrote: > 1. What were the reasons for HTTP/2 not requiring TLS? > > Is there a significant performance consideration, is it related to the cost of certificates (which is now fairly low or even free), or are there other technical reasons? This is incorrect. The cost of certificates for webmasters is not "fairly low or even free". If you have one single domain and you disregard the opportunistic costs you have to repeatedly endure in order to renew the certificate at least once per year (for the rest of the life of the web-site), sure, the cost may indeed be "fairly low or even free". However, that is not the case if you have a few dozen domains (or even subdomains), have had all of them on a single IPv4 address prior to the HTTPS considerations, have requirements to support fairly recent hardware with Android 2.3 (which has no SNI), want all of your users, including Android 2.x ones, to be able to navigate to your web-site when clicking the (https://) links posted outside of your control etc. Think of all the consumer electronic devices like the 15 USD 802.11n wireless routers -- who's going to be paying for their certificates? Who will be renewing them every year at the "fairly low or even free" cost? > It would be nice if the web was just "secure by default", and I would have thought that now would be the right time to move in that direction. Yes, but mandating a mandatory "https://" address scheme is not a solution. As has been mentioned, Opportunistic Encryption through the "http://" address scheme is what would help here instead. Cheers, Constantine.
Received on Sunday, 29 March 2015 01:20:07 UTC