Re: 2 questions from Amos Jeffries on 2015-03-30 (ietf-http-wg@w3.org from January to March 2015)

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Mon, 30 Mar 2015 21:45:15 +1300
To: ietf-http-wg@w3.org
Message-ID: <55190D1B.6040107@treenet.co.nz>

On 30/03/2015 12:34 a.m., Walter H. wrote:
> On 29.03.2015 03:19, Constantine A. Murenin wrote:
>> On 2015-03-28 7:43, Glen wrote:
>>> 1. What were the reasons for HTTP/2 not requiring TLS?
>>>
>>> Is there a significant performance consideration, is it related to
>>> the cost of certificates (which is now fairly low or even free), or
>>> are there other technical reasons?
>>
>> This is incorrect.  The cost of certificates for webmasters is not
>> "fairly low or even free".
>>
> In fact they are fairly low or even free, because nobody tells you
> buying at the most expensive dealer ;-)
> 
> just try e.g. StartCom ;-)

Tried that. Got a far as where their Terms and Conditions forbid me from
getting certs on behalf of my clients.

>> Think of all the consumer electronic devices like the 15 USD 802.11n
>> wireless routers -- who's going to be paying for their certificates?
> any cheap routing box, either with WLAN or not does use self-signed
> certificates; and business environments have different use cases and/or
> hardware;
> and there they can have their own CA, too ...

Go ahead. Try it. The modern browsers will all throw up confusing
looking popups about security thingys, red stop signs, unlocked
padlocks, etc in front of their users on each request using self-signed
certs and Chrome will not even permit the device control pages to be opened.

> 
>> Yes, but mandating a mandatory "https://" address scheme is not a
>> solution.
> use TLS with the address scheme "https://", and
>>   As has been mentioned, Opportunistic Encryption through the
>> "http://" address scheme is what would help here instead.
> not any encryption with the "http://" address scheme;
> 
> you don't sell cows as pigs, do you;

Exactly why http:// is used instead of https://.

Like selling a bull instead of a cow - has many great and similar uses
(meat, better workloads, etc), same breed of beast, but milk supply is
not in the marketing brochure.

If you want milk, pay more for a real cow. I just need something that
will pull a cart.

Dont cull the entire pig population because someone sold you a "beef"
sausage filled with pork. None can save you bacon after that.

Amos

Received on Monday, 30 March 2015 08:46:01 UTC