[cryptography] [Cryptography] STARTTLS for HTTP

Ryan Carboni ryacko at gmail.com
Fri Aug 22 20:01:04 EDT 2014


Firefox users are probably going to keep using Firefox.
Chrome users are probably going to keep using Chrome.
Opera users use Opera because of it's nice little features.
IE users are likely using a pirated version of Windows and live in China.
https://en.wikipedia.org/wiki/Brand_loyalty
The marginal difference between Firefox and Chrome, beyond Chrome's
sandbox, isn't particularly great.


On Thu, Aug 21, 2014 at 7:14 AM, Salz, Rich <rsalz at akamai.com> wrote:

> > It would be secure against wifi eavesdropping. But worse it might
> instill a false sense of security.
>
> Well, maybe.  The "rules" say that you don't treat HTTP over TLS as if it
> were HTTPS.  It's unauthenticated. And the end-user isn't really supposed
> to be led into thinking that the user-agent is making things secure.  The
> rules for handling cookies, for example, don't let them become "secure
> cookies" just because they were fetched over an encrypted link.
>
> It's a hard concept to wrap your head around unless you're a hardcore HTTP
> geek.  You have to think about what the HTTP/2 spec says, carefully. It's
> an implementor's document, not an end-user document.
>
> So what will happen?  Hard to say.  Firefox has said they're going to use
> HTTP over TLS because they want as much encryption as possible. Chrome has
> said they will not do it because they want as much authenticated encryption
> as possible. IE has said no, but seems to be thinking about yes. I haven't
> heard what Opera's said, if anything. And Safari is, as usual for Apple,
> keeping things to themselves.
>
> It's definitely in a state of flux. And trying to guess what the browsers
> will do is very much the n-body problem, because they all affect each other
> as they call compete for market share.
>
>         /r$
>
> --
> Principal Security Engineer
> Akamai Technologies, Cambridge MA
> IM: rsalz at jabber.me Twitter: RichSalz
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20140822/038e314e/attachment-0001.html>


More information about the cryptography mailing list