[cryptography] Fwd: Moving forward on improving HTTP's security

Greg greg at kinostudios.com
Wed Nov 13 14:06:44 EST 2013


Some sanity appears:

On Nov 13, 2013, at 1:57 PM, Mike Bishop <Michael.Bishop at microsoft.com> wrote:

> While the language may be strong, I agree with the sentiment that they are distinct mechanisms.  Mark has proposed a mechanism, independent of HTTP/2.0, which can be used to migrate from an HTTP connection to an HTTPS connection.  That’s a separate proposal from HTTP/2.0.  The actual “security” of HTTPS is entirely dependent on TLS and completely orthogonal to HTTP/2.0.
>  
> From: Tao Effect [mailto:contact at taoeffect.com] 
> Sent: Wednesday, November 13, 2013 10:54 AM
> To: Martin Thomson
> Cc: "William Chan (陈智昌)"; Mike Belshe; Tim Bray; James M Snell; Mark Nottingham; HTTP Working Group
> Subject: Re: Moving forward on improving HTTP's security
>  
> OK, I agree with this sentiment.
>  
> What worries me is the emphasis that I see being placed on HTTP 2.0 being "secure".
>  
> Perhaps it is somewhat of a marketing problem, but nevertheless, it's a marketing problem with potentially serious security consequences.
>  
> If HTTP/2.0 is flexible enough to allow for very different types of authentication practices than the ones currently done with the PKI/CA system, then I would support it.
>  
> Just make it _clear_ then that HTTP/2.0 is not about improving security.
>  
> If this is not made crystal clear, then people will continue to see news headlines on tech sites that give people the impression that something is actually being done to improve the internet's security with this "move to HTTP 2.0!", which is horse sh*t.
>  
> - Greg


--
Please do not email me anything that you are not comfortable also sharing with the NSA.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20131113/dbe02d1f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20131113/dbe02d1f/attachment.asc>


More information about the cryptography mailing list