- From: Stefan Eissing <stefan.eissing@greenbytes.de>
- Date: Wed, 22 Jul 2015 13:49:28 +0200
- To: McManus Patrick <mcmanus@ducksong.com>
- Cc: Martin Thomson <martin.thomson@gmail.com>, Bradford Wetmore <bradford.wetmore@oracle.com>, HTTP Working Group <ietf-http-wg@w3.org>
> Am 22.07.2015 um 13:32 schrieb Patrick McManus <mcmanus@ducksong.com>: > > > > > On Wed, Jul 22, 2015 at 11:59 AM, Stefan Eissing <stefan.eissing@greenbytes.de> wrote: > > But I sense a certain implicated feeling of safety in h2 client/server security requirements where reality is not that simple. > > https provides transport security between the TLS endpoints. That is its scope. There are many ways the endpoints can fail to provide equal security beyond that - you mention one, There are a million more - many of which have nothing to do with and are much harder than transport. > > Obviously the weakest link is the point of vulnerability, and h2 has updated itself to current best practices so that if it is the weakest link that chain will be fairly strong (for now). That's good. I expect new protocols to enforce best practices as best they can and I'm realistic that some people will build fragile chains that include both h2 and plaintext.. the important thing is that h2 is appropriate to use in a strong chain. I like the chain link analogy. Have to let it sink in a bit... //Stefan <green/>bytes GmbH Hafenweg 16, 48155 Münster, Germany Phone: +49 251 2807760. Amtsgericht Münster: HRB5782
Received on Wednesday, 22 July 2015 11:49:53 UTC