IETF Logo Mail Archive

Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP

Dick Hardt <dick.hardt@gmail.com> Mon, 03 December 2012 03:26 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FF2121F88A2 for <apps-discuss@ietfa.amsl.com>; Sun, 2 Dec 2012 19:26:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.504
X-Spam-Level:
X-Spam-Status: No, score=-3.504 tagged_above=-999 required=5 tests=[AWL=0.095, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UdWG9CjEHMF9 for <apps-discuss@ietfa.amsl.com>; Sun, 2 Dec 2012 19:26:03 -0800 (PST)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by ietfa.amsl.com (Postfix) with ESMTP id 84EE121F8864 for <apps-discuss@ietf.org>; Sun, 2 Dec 2012 19:26:03 -0800 (PST)
Received: by mail-pb0-f44.google.com with SMTP id uo1so1549705pbc.31 for <apps-discuss@ietf.org>; Sun, 02 Dec 2012 19:26:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=ns2QQKYRK8EUsxfWQZZm+YVhG1yRpNGMtxHioMckBFI=; b=DakL3PGNOOd3DyeOv/io95L7Aae5EV77g+WKPtDMG9c/EbhK3lg6MSWsrTDOGq/mSY GTUCtyBcdQ+xO2N3QW7ouE3589krWayumX4cbUhQzrrPG6oySIfwrvU0kyd3yd568U46 1/jY5btgiwtVNUHGS6yQe6YZdcNfASYrLangp90phNDsqabdXPcGTrqQ6hueb9KCRTDX K6Yhj67r7Rk3iEjYfbuO+bmomOLbIZB1MAfjhIxmwYo1M+vzGZXAehbCrCIiIFy52RKO Sm32czladHkM9iJ2yIYyRLvq9XXkjZ6JtjecwJ1N2HFCE5ax+MGJdkLEKcKbwfa1woSf 9KvQ==
Received: by 10.66.87.167 with SMTP id az7mr22468999pab.69.1354505163270; Sun, 02 Dec 2012 19:26:03 -0800 (PST)
Received: from [192.168.3.101] (airnode1222.air-internet.com. [12.110.33.210]) by mx.google.com with ESMTPS id d8sm297503pax.23.2012.12.02.19.25.55 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 02 Dec 2012 19:25:59 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <ab6bd2f5cb43f5e925455a365db01998@gorard.co.uk>
Date: Sun, 02 Dec 2012 19:25:54 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <EF2E18F6-2F60-4033-89BA-C7825E11840A@gmail.com>
References: "\"<pgauj587ym5drb1i5geo6hem.1354192360769@email.android.com> <CAAJ++qFJK_Crfj7_A6a4E8sPvq6CLYtKZOdDaVEcAp86q7H7wA@mail.gmail.com> <CAAz=sckP2w6-gMfVg-xBBVPcM7wDSerbzdbYXeOY_OpmdbToDQ@mail.gmail.com> <B1DBA05D-BB17-4BBE-893B-490199FC5F5E@ve7jtb.com> <CAAJ++qFfgi2Eu_MBe3drL1zRZJ=x0b5gVgNJ10j6TFimOta4qw@mail.gmail.com> <1268667C-895D-4273-94C8-E057D64FD349@josephholsten.com> <014901cdce6a$6943aaf0$3bcb00d0$@packetizer.com> <CAJu8rwX2n54P9prxrqzXZnc-5WeyFoHxhYcD=fvLkfh9FCUU7Q@mail.gmail.com> <016f01cdce6e$8a168af0$9e43a0d0$@packetizer.com> <CAJu8rwUvSFnhh171Xm90k1wm5bLKo_SGqs7L+cQ_QioHWzqNgQ@mail.gmail.com> <025701cdce84$a8a1bfb0$f9e53f10$@packetizer.com> <CAADDC71-1FBB-4411-B61A-359F878724A6@gmail.com> <036301cdceb1$3ae93e30$b0bbba90$@packetizer.com> <CAAJ++qGmx3hYt3f2kQ8BaVRe4ggA8F5jLyB1F-zawF-pkMA0dw@mail.gmail.com> <039001cdceb4$b65c7480$23155d80$@packetizer.com>" <9AE8993E-92CB-499B-AC47-C7477FF765CC@gmail.com>" <CAK3OfOjx5RRtC3ZR0tZRsvQY+tnTNtjooAQmmnJjeDHuda9 qxQ@m! ail.gmail.com> <BBBD4E7 "\"6-1B6D-4C88-82A2-5815AF9D1589@ve7jtb.com> <CAA1s49Vu+LKXr36wheH3qJZcGLyjGuJrD_xs7eXaYjVC8mUz=A@mail.gmail.com> <CAK3OfOj5fqoybKqvdruwAqOhjdp5VxSMAKK1NdDfdn+OEVOSFw@mail.gmail.com> <CAK3OfOi-jM3J=fVqNrO-6f5qVLbqQBMFJPwFBZQO8CVQv3VK+g@mail.gmail.com> <CAAz=sc=wER+3jANNhwq7q2FSveUpPL3fW9RAF7ZAx=czSQVqbQ@mail.gmail.com>" <073201cdd041$d2050b50$760f21f0$@packetizer.com>" <B504193B-EE58-455F-9851-6A45E56BF828@ve7jtb.com> <CAMQ7dq4tfF08=y0D-5bA9SONPe1xHstXdm2=QqkSD_trRE1Jzw@mail.gmail.com> <078801cdd067$4cdfb2b0$e69f1810$@packetizer.com> <0BB05AB9-6D89-4CBC-8724-B1744BE95A94@gmail.com> <ab6bd2f5cb43f5e925455a365db01998@gorard.co.uk>
To: jonathan@gorard.co.uk
X-Mailer: Apple Mail (2.1499)
Cc: webfinger@googlegroups.com, apps-discuss@ietf.org
Subject: Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Dec 2012 03:26:04 -0000

On Dec 2, 2012, at 12:25 PM, jonathan@gorard.co.uk wrote:

> On 2012-12-02 15:00, Dick Hardt wrote:
>> On Dec 2, 2012, at 12:30 AM, "Paul E. Jones" <paulej@packetizer.com> wrote:
>>> In any case, the current document encourage use of HTTPS.  But, it still
>>> allows for HTTP and I can see some valid cases for it.
>> 
>> What are the avid use cases?
>> 
>> Keep in mind we are adding complexity to clients by allowing both, so
>> there is a real cost to allowing both. I'm not clear what we are
>> losing by HTTPS-only
>> 
>> -- Dick
>> _______________________________________________
>> apps-discuss mailing list
>> apps-discuss@ietf.org
>> https://www.ietf.org/mailman/listinfo/apps-discuss
> 
> Surely mandating HTTPS for all connections would not only increase overhead by forcing SSL key exchange where it isn't necessary, but wouldn't it remove the ability to cache web content, thereby crippling the performance of many content-heavy websites? For sites which don't require secure connections, it just doesn't make sense. The additional complexity on the client from running both protocols that you mentioned is the lesser of two evils (unless the two protocols are somehow integrated).

It is implementation complexity that I am talking about. Per the latest draft, the Client has to first call HTTPS and depending on the result of that call, can call HTTP.

The overhead of SSL is nothing compared to making to calls, and the first has to be SSL anyway!

-- Dick

v2.23.0 | Report a Bug | By Email