W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: 2 questions

From: Walter H. <Walter.H@mathemainzel.info>
Date: Sun, 29 Mar 2015 13:24:32 +0200
Message-ID: <5517E0F0.7010505@mathemainzel.info>
To: Cory Benfield <cory@lukasa.co.uk>
CC: ietf-http-wg@w3.org, Glen <glen.84@gmail.com>

On 28.03.2015 22:36, Cory Benfield wrote:
>> On 28 Mar 2015, at 14:43, Glen<glen.84@gmail.com>  wrote:
>> 1. What were the reasons for HTTP/2 not requiring TLS?
> The shortest answer to this is that there was not much extra cost in allowing plaintext HTTP/2, and it was requested by several WG members for specific use cases where TLS may not be appropriate.
these use cases are any websites for the public without any access 
restrictions ...
> In practice, most of HTTP/2 in the open web will be deployed using TLS
the wrong way ...
> Chrome and Firefox have no plans to support HTTP/2 in plaintext, ...
this doesn't make any sense, because in case every website is encrypted 
the sensitivity for invalid x509 certificates becomes less ...
and so it makes it easier faking banking sites - the most sensitive part 
of encrypted websites;
>> It would be nice if the web was just "secure by default", and I would have thought that now would be the right time to move in that direction.
> We are. =) Check out the opportunistic encryption draft[0] for examples of how we’re moving in that direction. Firefox already supports this draft, so websites can today start offering opportunistic HTTP-over-TLS if they would like to.
as said above: the wrong way;

just think of the fact why transports of money are escorted by police 
and not everything else, too.


Received on Sunday, 29 March 2015 11:25:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:43 UTC