W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: comprehensive TLS is not the solution, it's a bug ... (was 2 questions)

From: Willy Tarreau <w@1wt.eu>
Date: Tue, 31 Mar 2015 21:06:23 +0200
To: Maxthon Chan <xcvista@me.com>
Cc: Roberto Peon <grmocg@gmail.com>, "Walter H." <Walter.H@mathemainzel.info>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20150331190623.GH7183@1wt.eu>
On Wed, Apr 01, 2015 at 02:58:31AM +0800, Maxthon Chan wrote:
> I mean TLS is mandatory and all communications happens over port 443. However
> without authentication any form of encryption is pointless, so the only
> difference between http and https here in my suggestion is whether the
> certificate is authenticated or not, but keeping TLS intact would allow other
> protocol features to be used, like NPN.

All of this has been discussed to death 2 years ago already and many cases
were provided about a number of situations where this would cause more harm
than good. IoT devices were one example where you don't want to spend CPU
cycles encrypting. Being able to use the existing infrastructure as it is
is another important aspect. Forcing everyone to mix secure and non-secure
traffic on the same port doesn't necessarily come without any security/
confidentiality impact. And in my personal opinion, encrypting without
authenticating just to let people *feel* they're safe is not a good idea,
though I know that many don't share my view on this. Quite frankly, when
you want an admin to switch his internal servers to TLS, there's no better
solution than providing him with a network capture showing all his activities
in clear text. Really.

Regards,
Willy
Received on Tuesday, 31 March 2015 19:06:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:43 UTC