[cryptography] STARTTLS for HTTP

Ryan Carboni ryacko at gmail.com
Tue Aug 19 02:09:41 EDT 2014


It would be secure against wifi eavesdropping. But worse it might instill a
false sense of security.



On Mon, Aug 18, 2014 at 9:29 PM, Tony Arcieri <bascule at gmail.com> wrote:

> Anyone know why this hasn't gained adoption?
>
> http://tools.ietf.org/html/rfc2817
>
> I've been watching various efforts at widespread opportunistic encryption,
> like TCPINC and STARTTLS in SMTP. It's made me wonder why it isn't used for
> HTTP.
>
> Opportunistic encryption could be completely transparent. We don't need
> any external facing UI changes for users (although perhaps plaintext HTTP
> on port 80 could show a broken lock). Instead, if the server and client
> mutually support it, TLS with an unauthenticated key exchange is used.
>
> It seems most modern web browsers and web servers are built with TLS
> support. Why not always flip it on if it's available on both sides, even if
> it's trivially MitMed?
>
> --
> Tony Arcieri
>
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20140818/57ff17f8/attachment.html>


More information about the cryptography mailing list