W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: 2 questions

From: Eric J. Bowman <eric@bisonsystems.net>
Date: Tue, 31 Mar 2015 03:37:40 -0600
To: Glen <glen.84@gmail.com>
Cc: ietf-http-wg@w3.org
Message-Id: <20150331033740.def561bbd0bb2b3b4b724557@bisonsystems.net>
Glen wrote:
> 1. What were the reasons for HTTP/2 not requiring TLS?

Nutshell answer to Glen's original question, is consensus wasn't
reached in this WG for requiring TLS in HTTP/2.

> Is there a significant performance consideration, is it related to
> the cost of certificates (which is now fairly low or even free), or
> are there other technical reasons?

This entire thread is a discussion of why consensus wasn't reached,
within the framing of your original post, but that's still the answer to
your original question. What follows from me on the topic, is outside
that framework, or I wouldn't post. Because sometimes, technical and
social/political overlap, and that's where we are with this.

> It would be nice if the web was just "secure by default", and I would
> have thought that now would be the right time to move in that
> direction.

My personal opinion, as a content publisher, is that I don't want to
make promises I can't keep. Like "securing" or even privatizing your
visit to my website, if I don't even know who you are or where you come
from. Especially if my URLs leak your private info in REFERER...

My analogy is a speakeasy. If you don't want folks knowing you come in
and out the front door, you'd better have a password for the back door
(Copacabana shot in "Goodfellas" comes to mind), in which case I need
to know who you are. Ubiquitous HTTPS requires me to give everyone that
password, so philosophically speaking, what's the point of requiring it?

I'm +1 on the OpSec draft because of this. I don't care how much you
tip, you're not coming in my back door unless I know who you are. In
which case, you'll be taken care of to the best of my abilities. Which
includes not leaking your personal data to advertisers via URLs in the
REFERER header, which is a prominent Web problem ubiquitous HTTPS, and
even OpSec, don't begin to solve.

Ultimately, I don't believe in a "secure by default" vision of the Web.
What I'd like is to be able to verify to my site visitors, that their
viewed content hasn't been altered. By ad-injection or whatever, if
that's affecting a login page, I don't want them to log in from that
page. Because whether it's OpSec or ubiquitous HTTPS, my inability to
detect content alteration as a publisher, is my problem. For which I
don't see any solution proposed, so my +1 to OpSec is "lesser of two

IMHO, the closest we've come in HTTP was the now-deprecated Content-
Md5 header. It didn't play nice with Range requests. In retrospect,
instead of deprecating, we probably should have incorporated some means
to disable range requests when Content-Md5 was in play. Plus made it
registerable through IANA, i.e. now we'd have a Content-Sha256 header
or somesuch.

Just give me something where, from the server side, I can warn my
valued site visitors that something fishy's afoot between us. Instead
of promising them everything will be fine, by virtue of having 
browser-vendor-and-Google-approved HTTPS URLs which don't address the
main thing I could be doing wrong... But I guess I'm exonerated, if
everyone else buys into this flawed system, so What, me worry?

> Also, at least 2 of the major browser vendors have said that they
> won't be supporting HTTP/2 without TLS, so surely no one is going to
> want to run their website without it?

More onerous is Google tying HTTPS usage to "PageRank" for no reason
that makes any sense, other than throwing their weight around. Does
nothing for the hugely prevalent problem of poor URI allocation-scheme
design, which makes me wonder if ubiquitous HTTPS isn't counter-
productive to actually solving a privacy problem it only purports to
band-aid. The larger issue to me are all the sites HTTPS doesn't "fix"
because from where I sit, those are the majority of the sites we access
which can actually hurt us, IOW not browsing the local newspaper.

Did I make a medical reference? It's because HTTPS didn't stop the
personal health information of every U.S. citizen who entered it into
healthcare.gov from being transmitted to every partner corporation
involved in that website. We're supposed to trust that this data won't
be used because that would be against the law, but wouldn't it have
been better if the Identification of Resources constraint got the same
sort of press EFF's drummed up for ubiquitous HTTPS without, IMO, quite
understanding the problem?

My painful analogy, is ubiquitous HTTPS only even tries to solve the
problem of keeping the horse from bolting through the open barn doors.
Wouldn't it be better to approach the problem from the perspective of
closing the barn doors, if the intention is to keep horses inside of it?


Sorry for the tl;dr to arrive at that point, but "it is what it is".

Received on Tuesday, 31 March 2015 09:38:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:43 UTC