W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: comprehensive TLS is not the solution, it's a bug ... (was 2 questions)

From: Maxthon Chan <xcvista@me.com>
Date: Wed, 01 Apr 2015 02:58:31 +0800
Cc: Willy Tarreau <w@1wt.eu>, "Walter H." <Walter.H@mathemainzel.info>, HTTP Working Group <ietf-http-wg@w3.org>
Message-id: <68682D6D-0189-4D44-9BF3-11E1FE1CB884@me.com>
To: Roberto Peon <grmocg@gmail.com>
I mean TLS is mandatory and all communications happens over port 443. However without authentication any form of encryption is pointless, so the only difference between http and https here in my suggestion is whether the certificate is authenticated or not, but keeping TLS intact would allow other protocol features to be used, like NPN.

Or we need some other form of protocol negotiation that is compatible with HTTP/1.1 or we run the risk of breaking Internet. My suggestion of this “other form of negotiation” is to use the HTTP/1.1 protocol upgrade or custom header mechanism to negotiate HTTP/2 operation over the first HTTP/1.1 request/response, since the main point of stageful differential requesting and responding does make a benefit on the first request.

> On Apr 1, 2015, at 02:49, Roberto Peon <grmocg@gmail.com> wrote:
> 
> 
> Using https is a statement that you'd rather have no connectivity than nonencrypted nonauthenticated communication.
> If you use http you're not saying that, and you're opening yourself up for all kinds of nastiness, e.g. you can force a downgrade to plaintext  (port 80) by blocking port 443 for such urls.
> 
> 
> -=R
> 
> On Tue, Mar 31, 2015 at 11:37 AM, Maxthon Chan <xcvista@me.com <mailto:xcvista@me.com>> wrote:
> Seem relevant, so I am just throwing it out here:
> 
> How about making TLS mandatory, and the URL scheme “http:” and “https:” only determines whether the certificate is checked or not?
> 
> Also since HTTP/1.1 have a protocol upgrade mechanism, how about using that as a stepstone of HTTP/2 (that is, all sessions is initiated as HTTP/1.1, and a HTTP/2-capable server tells the client it can start using HTTP/2 features in the resulting HTTP/1.1 header and further communications is HTTP/2) so HTTP/2 will not depend on TLS NPN feature (that is, HTTP/1.1 protocol upgrade is used as a makeshift NPN)
> 
> > On Apr 1, 2015, at 02:28, Willy Tarreau <w@1wt.eu <mailto:w@1wt.eu>> wrote:
> >
> > On Tue, Mar 31, 2015 at 08:27:05PM +0200, Walter H. wrote:
> >> On 31.03.2015 13:47, Willy Tarreau wrote:
> >>>
> >>> ..., all of the messages I've read from Mr
> >>> "H." are quite confusing to me and talk about things totally unrelated
> >>> to TLS (eg: advertising etc) to the point that I'm now considering this
> >>> thread as rant or pollution.
> >> then I don't need to write anything to clarify ...
> >>> At least I don't understand the intent nor
> >>> what improvement is suggested here :-/
> >> your problem ...
> >
> > Given that you're saying yourself that others don't understand, I'm not
> > sure I'm the common point between them...
> >
> > Willy
> >
> >
> 
> 
> 


Received on Tuesday, 31 March 2015 18:59:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:43 UTC