On Fri, Aug 22, 2014 at 12:16:22PM -0700, Tim Bray wrote:
From: "Tim Berners-Lee" <timbl(_at_)w3(_dot_)org>
[...]
Here is a proposal, that we need this convention:
If two URIs differ only in the 's' of 'https:', then they may
never be used for different things.
[...]
What this means is that a client given an http: URL in a reference is
always free to try out the HTTPS, just adding an S, and use result if the
is successful.
It too late for that though: all too often the two resources are not the
same.
Though a server could advertise that they are the same, but the client
would first have to try HTTPS to find out, increasing latency when the
server doesn't (which would be the common case at first).
IIUC the HTTP/2.0 folks are working on one transport to access both
kinds of resources. And if we apply the opportunistic security pattern
to this we should be able to get encrypted security (even if often
unauthenticated) when using http URIs.
Or do we have to only build serious internet applications as browser
extensions or native apps?
I agree with the idea though, that we should apply opportunistic
security when we would otherwise just use plaintext!
I suspect has been discussed in many fora -- apologies if the issue is
already noted and resolved, and do point to where it has
Please look at the opportunistic security (OS) effort currently under
IETF LC, draft-dukhovni-opportunistic-security.
Nico
--