ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [IAB] Mandatory encryption as part of HTTP2

2013-11-15 06:56:00
from [Iljitsch van Beijnum] [Permanent Link] 
On 15 nov 2013, at 12:14, Hannes Tschofenig 
<hannes(_dot_)tschofenig(_at_)gmx(_dot_)net> wrote:


We mandate other things in protocol specification as well (that aim to take 
performance, for example, to a specific level) then why not also certain 
security features.


I'm all for mandating certain security features. A big part of that is not 
having insecure stuff in version 1 of protocols, because once the can is open, 
the worms never (completely) crawl back in. However, mandates in the form "if 
you do X you may only do it in manner Y" don't mean much, because the IETF has 
no real-world power beyond the text of its specifications.

That aside, just saying "you MUST do TLS with HTTP/2.0" doesn't buy much 
security in a world where CAs are not trustworthy, people still use RC4/MD5, 
use woefully short keys for otherwise strong algorithms, browsers have 
effectively trained people to always click "visit anyway" and so on.

Also, there are cases where encryption isn't needed, and cases where it's not 
desired. An example close to home: a while back, some IETF meeting related 
page, the agenda perhaps, would only be available over HTTPS. And it was 
extremely slow. Not sure if this was because the server was overloaded, session 
keys were negotiated every time (which shouldn't be necessary) or the page 
wouldn't be cached (which should be possible), but the end result was that a 
static file that is available to everyone without credentials was much harder 
to access for no benefit. Unless you pad all your pages as well as their URLs 
to the same length, it's trivial for snoops to see who got which page simply by 
observing the length of the exchange.

With security, the perfect tends to be the enemy of the good. Let's focus our 
efforts on getting everything encrypted that needs to be encrypted, and do so 
according to the state of the art rather than sloppily as often happens today, 
rather than fight over whether people get to serve unencrypted stuff over 
HTTP/1.1 or HTTP/2.0. "Encrypt everything" makes for a good soundbite, but it's 
a terrible policy.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Weekly posting summary for ietf(_at_)ietf(_dot_)org, Thomas Narten
Next by Date:  Re: [IAB] Mandatory encryption as part of HTTP2, Phillip Hallam-Baker
Previous by Thread:  Re: [IAB] Mandatory encryption as part of HTTP2, Hannes Tschofenig
Next by Thread:  Re: [IAB] Mandatory encryption as part of HTTP2, Phillip Hallam-Baker
Indexes:  [Date] [Thread] [Top] [All Lists]