Re: comprehensive TLS is not the solution, it's a bug ... (was 2 questions)

Using https is a statement that you'd rather have no connectivity than
nonencrypted nonauthenticated communication.
If you use http you're not saying that, and you're opening yourself up for
all kinds of nastiness, e.g. you can force a downgrade to plaintext  (port
80) by blocking port 443 for such urls.


-=R

On Tue, Mar 31, 2015 at 11:37 AM, Maxthon Chan <xcvista@me.com> wrote:

> Seem relevant, so I am just throwing it out here:
>
> How about making TLS mandatory, and the URL scheme “http:” and “https:”
> only determines whether the certificate is checked or not?
>
> Also since HTTP/1.1 have a protocol upgrade mechanism, how about using
> that as a stepstone of HTTP/2 (that is, all sessions is initiated as
> HTTP/1.1, and a HTTP/2-capable server tells the client it can start using
> HTTP/2 features in the resulting HTTP/1.1 header and further communications
> is HTTP/2) so HTTP/2 will not depend on TLS NPN feature (that is, HTTP/1.1
> protocol upgrade is used as a makeshift NPN)
>
> > On Apr 1, 2015, at 02:28, Willy Tarreau <w@1wt.eu> wrote:
> >
> > On Tue, Mar 31, 2015 at 08:27:05PM +0200, Walter H. wrote:
> >> On 31.03.2015 13:47, Willy Tarreau wrote:
> >>>
> >>> ..., all of the messages I've read from Mr
> >>> "H." are quite confusing to me and talk about things totally unrelated
> >>> to TLS (eg: advertising etc) to the point that I'm now considering this
> >>> thread as rant or pollution.
> >> then I don't need to write anything to clarify ...
> >>> At least I don't understand the intent nor
> >>> what improvement is suggested here :-/
> >> your problem ...
> >
> > Given that you're saying yourself that others don't understand, I'm not
> > sure I'm the common point between them...
> >
> > Willy
> >
> >
>
>
>