- From: Walter H. <Walter.H@mathemainzel.info>
- Date: Sun, 29 Mar 2015 13:24:32 +0200
- To: Cory Benfield <cory@lukasa.co.uk>
- CC: ietf-http-wg@w3.org, Glen <glen.84@gmail.com>
- Message-ID: <5517E0F0.7010505@mathemainzel.info>
Hello, On 28.03.2015 22:36, Cory Benfield wrote: >> On 28 Mar 2015, at 14:43, Glen<glen.84@gmail.com> wrote: >> >> 1. What were the reasons for HTTP/2 not requiring TLS? > The shortest answer to this is that there was not much extra cost in allowing plaintext HTTP/2, and it was requested by several WG members for specific use cases where TLS may not be appropriate. these use cases are any websites for the public without any access restrictions ... > In practice, most of HTTP/2 in the open web will be deployed using TLS the wrong way ... > Chrome and Firefox have no plans to support HTTP/2 in plaintext, ... this doesn't make any sense, because in case every website is encrypted the sensitivity for invalid x509 certificates becomes less ... and so it makes it easier faking banking sites - the most sensitive part of encrypted websites; >> It would be nice if the web was just "secure by default", and I would have thought that now would be the right time to move in that direction. > We are. =) Check out the opportunistic encryption draft[0] for examples of how we’re moving in that direction. Firefox already supports this draft, so websites can today start offering opportunistic HTTP-over-TLS if they would like to. as said above: the wrong way; just think of the fact why transports of money are escorted by police and not everything else, too. Greetings, Walter
Attachments
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Sunday, 29 March 2015 11:25:02 UTC