Re: 2 questions

> On Mar 30, 2015, at 3:29 PM, Adrien de Croy <adrien@qbik.com> wrote:
> 
> 
> well from where I stand there is a certain amount of duress being applied to move people to TLS.
> 
> * browser vendors saying they won't support plaintext (I wonder how long that will last)
> * not really much effort going into working through issues with plaintext version since it's always supposedly assumed that it won't really be used and people will stick with 1.1 or go to https, and issues will be solved.  Somehow.  Maybe.  Hopefully.
> 
> not many other options have been seriously considered for solving the presumed problem of bad things happening on port 80.  Like moving to another port.  100 is still available.
> 
> It is reasonable to want to avoid bad things but there are other ways than TLS, but thanks to the push to https everywhere now everyone has a MITM that will probably make port 443 just as broken as port 80.  Maybe not quite, since I guess ISPs are less likely to do that.  But still a lot worse now than 2 years ago.

Not quite. ALPN is carefully engineered to play nice with MitM. The MitM that are installed now (and for the last 8 years) will easily strip the ALPN extension and downgrade client and server to HTTP/1.

Yoav

Received on Monday, 30 March 2015 13:04:16 UTC