[cryptography] [Cryptography] STARTTLS for HTTP
stephen.farrell at cs.tcd.ie
Tue Aug 19 07:18:52 EDT 2014
Forgotten link added below...
On 19/08/14 11:57, Stephen Farrell wrote:
> On 19/08/14 07:09, Ryan Carboni wrote:
>> It would be secure against wifi eavesdropping. But worse it might instill a
>> false sense of security.
> Well, protocols don't do that, but user agents (browsers in this case)
> can. However, the httpbis WG are on the topic and have a proposal
> for HTTP/2.0 for opportunistic security  that they're working on
> that I don't believe has that problem. (There's no user indication
> at all that its happening.)
> I'm not sure why 2817 never took off, but suspect its mostly that
> 2818 had already taken off when both were published.
>> On Mon, Aug 18, 2014 at 9:29 PM, Tony Arcieri <bascule at gmail.com> wrote:
>>> Anyone know why this hasn't gained adoption?
>>> I've been watching various efforts at widespread opportunistic encryption,
>>> like TCPINC and STARTTLS in SMTP. It's made me wonder why it isn't used for
>>> Opportunistic encryption could be completely transparent. We don't need
>>> any external facing UI changes for users (although perhaps plaintext HTTP
>>> on port 80 could show a broken lock). Instead, if the server and client
>>> mutually support it, TLS with an unauthenticated key exchange is used.
>>> It seems most modern web browsers and web servers are built with TLS
>>> support. Why not always flip it on if it's available on both sides, even if
>>> it's trivially MitMed?
>>> Tony Arcieri
>>> cryptography mailing list
>>> cryptography at randombit.net
>> The cryptography mailing list
>> cryptography at metzdowd.com
> cryptography mailing list
> cryptography at randombit.net
More information about the cryptography