Re: TLS ALPN Proposal v3

On Wed, Jul 22, 2015 at 11:59 AM, Stefan Eissing <
stefan.eissing@greenbytes.de> wrote:

> But I sense a certain implicated feeling of safety in h2 client/server
> security requirements where reality is not that simple.


https provides transport security between the TLS endpoints. That is its
scope. There are many ways the endpoints can fail to provide equal security
beyond that - you mention one, There are a million more - many of which
have nothing to do with and are much harder than transport.

Obviously the weakest link is the point of vulnerability, and h2 has
updated itself to current best practices so that if it is the weakest link
that chain will be fairly strong (for now). That's good. I expect new
protocols to enforce best practices as best they can and I'm realistic that
some people will build fragile chains that include both h2 and plaintext..
the important thing is that h2 is appropriate to use in a strong chain.

Received on Wednesday, 22 July 2015 11:32:43 UTC