Am 15.11.13 13:55, schrieb Iljitsch van Beijnum:
That aside, just saying "you MUST do TLS with HTTP/2.0" doesn't buy
much security in a world where CAs are not trustworthy, people still
use RC4/MD5, use woefully short keys for otherwise strong algorithms,
browsers have effectively trained people to always click "visit
anyway" and so on.
That's a common argument I hear. We cannot do "X" because there is also
this security issue with "Y". With that approach you will never get
anything done.
For that reason our approach to improve the design of new protocols
(like HTTP2) and at the same time try to improve the CA eco-system as
well. In fact, we even have a work item on that topic within the
recently created IAB security program, which I happen to lead.
With security, the perfect tends to be the enemy of the good.
With the current state of security of the Internet, as we clearly get
demonstrated right now, I don't think we are talking about the "perfect"
here at all.
Ciao
Hannes