Re: 2 questions

well from where I stand there is a certain amount of duress being 
applied to move people to TLS.

* browser vendors saying they won't support plaintext (I wonder how long 
that will last)
* not really much effort going into working through issues with 
plaintext version since it's always supposedly assumed that it won't 
really be used and people will stick with 1.1 or go to https, and issues 
will be solved.  Somehow.  Maybe.  Hopefully.

not many other options have been seriously considered for solving the 
presumed problem of bad things happening on port 80.  Like moving to 
another port.  100 is still available.

It is reasonable to want to avoid bad things but there are other ways 
than TLS, but thanks to the push to https everywhere now everyone has a 
MITM that will probably make port 443 just as broken as port 80.  Maybe 
not quite, since I guess ISPs are less likely to do that.  But still a 
lot worse now than 2 years ago.

Not to mention the concerns around moving en masse to TLS and what that 
will do for the security of TLS itself.  I'm not sure it's ready for the 
load.  CA compromises will affect a lot more sites.  They do happen and 
will continue to do so, especially as the bounty goes up by a few orders 
of magnitude.  A lot of eggs going into not many (CA) baskets.

Maybe we should be putting the effort into that first - solving issues 
with PKI before loading the whole internet onto it.  Maybe they are 
already doing that.


------ Original Message ------
From: "Cory Benfield" <>
To: "Adrien de Croy" <>
Cc: "Yoav Nir" <>; "Glen" <>; 
"" <>
Sent: 30/03/2015 9:26:27 p.m.
Subject: Re: 2 questions

>On 30 March 2015 at 04:15, Adrien de Croy <> wrote:
>>  I can buy that 1/3 of web requests use TLS.
>>  however that does not apply to 1/3 of web sites using TLS. Probably 
>>just FB
>>  and google alone account for 1/3 of web requests.
>>  There are surely hundreds of millions of sites. That's at least tens 
>>  millions of administrators who will need to take on the burden of 
>>making TLS
>>  work on their site. Many will not see any point in this. Pretty much 
>>  the sites that felt a need to deploy TLS will have already done so, 
>>and the
>>  others will not thank the IETF or google or the chromium project for
>>  attempting to force costs on them.
>No-one is being *forced* to do anything. HTTP/1.1 is not going away.
>If you dig back through the archives of this working group you'll
>repeatedly find statements from almost all camps that HTTP/1.1 will be
>around for the foreseeable future. Website owners that cannot set up
>TLS will still find plenty of support for plaintext HTTP.
>In this case I think Google and Firefox are probably right: HTTP/2 in
>plaintext is likely to break frequently and mysteriously. This is
>mostly because of intermediaries that believe they understand HTTP,
>but don't do it very well (HAProxy is a good example I can think off
>of the top of my head). These intermediaries are usually transparent
>to HTTP/1.1 users, but they will likely break HTTP/2 traffic over port
>80. Chrome and Firefox are therefore acting in the interest of both
>users and operators when they forbid this kind of traffic. They're
>saving your users from thinking your website is broken because their
>ISP deployed some terrible intermediate 'service' that mangles HTTP/2
>(consider Comcast's injection of HTTP headers, for example).
>At this point in time, my HTTP/2 implementation does not support
>plaintext HTTP/2. I will add support for it in the next few weeks, but
>I do not expect it to work in the vast majority of cases, and will be
>emitting warning logs to that effect.

Received on Monday, 30 March 2015 12:30:47 UTC