[cryptography] STARTTLS for HTTP

Kevin kevinsisco61784 at gmail.com
Tue Aug 19 12:00:21 EDT 2014


On 8/19/2014 12:29 AM, Tony Arcieri wrote:
> Anyone know why this hasn't gained adoption?
>
> http://tools.ietf.org/html/rfc2817
>
> I've been watching various efforts at widespread opportunistic 
> encryption, like TCPINC and STARTTLS in SMTP. It's made me wonder why 
> it isn't used for HTTP.
>
> Opportunistic encryption could be completely transparent. We don't 
> need any external facing UI changes for users (although perhaps 
> plaintext HTTP on port 80 could show a broken lock). Instead, if the 
> server and client mutually support it, TLS with an unauthenticated key 
> exchange is used.
>
> It seems most modern web browsers and web servers are built with TLS 
> support. Why not always flip it on if it's available on both sides, 
> even if it's trivially MitMed?
>
> -- 
> Tony Arcieri
>
>
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
I think section 8.1 answers your question.  People will most likely feel 
that the risks make this mechanism not worth it.


-- 
Kevin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20140819/de580ab1/attachment-0001.html>


More information about the cryptography mailing list