W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: 2 questions

From: Constantine A. Murenin <cnst@NetBSD.org>
Date: Sat, 28 Mar 2015 18:19:30 -0700
Message-ID: <55175322.8090201@NetBSD.org>
To: Glen <glen.84@gmail.com>
CC: ietf-http-wg@w3.org
On 2015-03-28 7:43, Glen wrote:
> 1. What were the reasons for HTTP/2 not requiring TLS?
>
> Is there a significant performance consideration, is it related to the cost of certificates (which is now fairly low or even free), or are there other technical reasons?

This is incorrect.  The cost of certificates for webmasters is not 
"fairly low or even free".

If you have one single domain and you disregard the opportunistic costs 
you have to repeatedly endure in order to renew the certificate at least 
once per year (for the rest of the life of the web-site), sure, the cost 
may indeed be "fairly low or even free".

However, that is not the case if you have a few dozen domains (or even 
subdomains), have had all of them on a single IPv4 address prior to the 
HTTPS considerations, have requirements to support fairly recent 
hardware with Android 2.3 (which has no SNI), want all of your users, 
including Android 2.x ones, to be able to navigate to your web-site when 
clicking the (https://) links posted outside of your control etc.

Think of all the consumer electronic devices like the 15 USD 802.11n 
wireless routers -- who's going to be paying for their certificates? 
Who will be renewing them every year at the "fairly low or even free" cost?

 > It would be nice if the web was just "secure by default", and I would 
have thought that now would be the right time to move in that direction.

Yes, but mandating a mandatory "https://" address scheme is not a 
solution.  As has been mentioned, Opportunistic Encryption through the 
"http://" address scheme is what would help here instead.

Cheers,
Constantine.
Received on Sunday, 29 March 2015 01:20:07 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:36 UTC