On Wed, Jul 22, 2015 at 11:59 AM, Stefan Eissing < stefan.eissing@greenbytes.de> wrote: > But I sense a certain implicated feeling of safety in h2 client/server > security requirements where reality is not that simple. https provides transport security between the TLS endpoints. That is its scope. There are many ways the endpoints can fail to provide equal security beyond that - you mention one, There are a million more - many of which have nothing to do with and are much harder than transport. Obviously the weakest link is the point of vulnerability, and h2 has updated itself to current best practices so that if it is the weakest link that chain will be fairly strong (for now). That's good. I expect new protocols to enforce best practices as best they can and I'm realistic that some people will build fragile chains that include both h2 and plaintext.. the important thing is that h2 is appropriate to use in a strong chain.
Received on Wednesday, 22 July 2015 11:32:43 UTC