[cryptography] STARTTLS for HTTP
ryacko at gmail.com
Tue Aug 19 02:09:41 EDT 2014
It would be secure against wifi eavesdropping. But worse it might instill a
false sense of security.
On Mon, Aug 18, 2014 at 9:29 PM, Tony Arcieri <bascule at gmail.com> wrote:
> Anyone know why this hasn't gained adoption?
> I've been watching various efforts at widespread opportunistic encryption,
> like TCPINC and STARTTLS in SMTP. It's made me wonder why it isn't used for
> Opportunistic encryption could be completely transparent. We don't need
> any external facing UI changes for users (although perhaps plaintext HTTP
> on port 80 could show a broken lock). Instead, if the server and client
> mutually support it, TLS with an unauthenticated key exchange is used.
> It seems most modern web browsers and web servers are built with TLS
> support. Why not always flip it on if it's available on both sides, even if
> it's trivially MitMed?
> Tony Arcieri
> cryptography mailing list
> cryptography at randombit.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography