On 10/22/25 18:33, Michael Sweet wrote: > Erik, > >> On Oct 22, 2025, at 6:12 PM, Erik Nygren <nygren@gmail.com> wrote: >> ... >> Here is a much more opinionated position on this: https://http1mustdie.com/ >> but I don't think captures the reality that http1 isn't going to die anytime soon, >> even if we publish an http1-considered-harmful draft. > > IMHO this is more of an argument that HTTP/1.x *proxies* must die. > > Direct connections to local HTTP/1.1 services (like the billions of printers, cameras, and other IoT widgets out there that aren't going away anytime soon...) should not be vulnerable to this sort of attack. I think that HTTP/1.x proxies are fine, but *only* if they are implemented as an independent HTTP server and HTTP client. -- Sincerely, Demi Marie Obenour (she/her/hers)
Received on Friday, 24 October 2025 01:02:56 UTC