[cryptography] [Cryptography] STARTTLS for HTTP

Stephen Farrell stephen.farrell at cs.tcd.ie
Tue Aug 19 07:18:52 EDT 2014



Forgotten link added below...



On 19/08/14 11:57, Stephen Farrell wrote:
> 
> Hiya,
> 
> On 19/08/14 07:09, Ryan Carboni wrote:
>> It would be secure against wifi eavesdropping. But worse it might instill a
>> false sense of security.
> 
> Well, protocols don't do that, but user agents (browsers in this case)
> can. However, the httpbis WG are on the topic and have a proposal
> for HTTP/2.0 for opportunistic security [1] that they're working on
> that I don't believe has that problem. (There's no user indication
> at all that its happening.)
> 
> I'm not sure why 2817 never took off, but suspect its mostly that
> 2818 had already taken off when both were published.
> 
> S.

[1] https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption

> 
>>
>>
>>
>> On Mon, Aug 18, 2014 at 9:29 PM, Tony Arcieri <bascule at gmail.com> wrote:
>>
>>> Anyone know why this hasn't gained adoption?
>>>
>>> http://tools.ietf.org/html/rfc2817
>>>
>>> I've been watching various efforts at widespread opportunistic encryption,
>>> like TCPINC and STARTTLS in SMTP. It's made me wonder why it isn't used for
>>> HTTP.
>>>
>>> Opportunistic encryption could be completely transparent. We don't need
>>> any external facing UI changes for users (although perhaps plaintext HTTP
>>> on port 80 could show a broken lock). Instead, if the server and client
>>> mutually support it, TLS with an unauthenticated key exchange is used.
>>>
>>> It seems most modern web browsers and web servers are built with TLS
>>> support. Why not always flip it on if it's available on both sides, even if
>>> it's trivially MitMed?
>>>
>>> --
>>> Tony Arcieri
>>>
>>> _______________________________________________
>>> cryptography mailing list
>>> cryptography at randombit.net
>>> http://lists.randombit.net/mailman/listinfo/cryptography
>>>
>>>
>>
>>
>>
>> _______________________________________________
>> The cryptography mailing list
>> cryptography at metzdowd.com
>> http://www.metzdowd.com/mailman/listinfo/cryptography
>>
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
> 
> 


More information about the cryptography mailing list