Re: [apps-discuss] I-D Action: draft-nottingham-http-browser-hints-02.txt
Barry Leiba <barryleiba@computer.org> Wed, 31 August 2011 16:27 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A47F821F8CD7 for <apps-discuss@ietfa.amsl.com>; Wed, 31 Aug 2011 09:27:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.026
X-Spam-Level:
X-Spam-Status: No, score=-103.026 tagged_above=-999 required=5 tests=[AWL=-0.049, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1BDvJMD-KHY9 for <apps-discuss@ietfa.amsl.com>; Wed, 31 Aug 2011 09:27:35 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 0B19F21F8CD2 for <apps-discuss@ietf.org>; Wed, 31 Aug 2011 09:27:34 -0700 (PDT)
Received: by gxk19 with SMTP id 19so853159gxk.31 for <apps-discuss@ietf.org>; Wed, 31 Aug 2011 09:29:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=/GYCXQKO92HDg2W2ggDJUbeJX5Acgt88+YXf3ltBpkE=; b=mxQvHNxpdNiDttEnRFbnMyoWzeMsePBvhmzoce/UzDZPLkjmE8gICKSGSnks6IJnsj jrlOlNziIBOBXZ9DHodjeAjHBfyCaUOIqf/Wz4VwpT/Z754IN4nizdug9fONXTeMfZr+ 3qMKjWBiak+3hqSWwoKO9LStkJiUgG62VHUp0=
MIME-Version: 1.0
Received: by 10.236.72.233 with SMTP id t69mr3278175yhd.55.1314808143980; Wed, 31 Aug 2011 09:29:03 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.236.208.35 with HTTP; Wed, 31 Aug 2011 09:29:03 -0700 (PDT)
In-Reply-To: <4E5E5F22.4010407@gmail.com>
References: <20110531062229.28776.82429.idtracker@ietfa.amsl.com> <0CE9268E-5802-4B0A-B643-F580E7F048B5@mnot.net> <4E5BB162.6010101@gmail.com> <D42B156C-33BD-4F8F-8958-A2E7900E055D@mnot.net> <4E5E47BB.3010403@gmail.com> <4E5E47FB.9050100@stpeter.im> <4E5E49A5.1020106@gmail.com> <CAC4RtVCms5uqJFTjXRjmVOtSr88qZFJN632KeRKhekVaMXETyA@mail.gmail.com> <4E5E5F22.4010407@gmail.com>
Date: Wed, 31 Aug 2011 12:29:03 -0400
X-Google-Sender-Auth: wNevi9Kj2GsLx5t91VxsvgODyno
Message-ID: <CALaySJJ4SncHbF0wZ-0wAtM=7ccmYZHdSG=sH0ejSB5=RRbHVQ@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Mykyta Yevstifeyev <evnikita2@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Mark Nottingham <mnot@mnot.net>, apps-discuss@ietf.org
Subject: Re: [apps-discuss] I-D Action: draft-nottingham-http-browser-hints-02.txt
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Aug 2011 16:27:35 -0000
>> A client that wants to use HTTPS, but isn't sure whether this part of >> the site supports it, can do it one of two ways: >> >> 1. Try HTTPS. If it doesn't work, fall back to HTTP. >> >> 2. Use HTTP. If a "hint" is included in the HTTP response that says >> HTTPS is OK, then switch to HTTP. >> >> You're proposing 2. Is that right? >> >> Assuming that's right, I'm saying that 1 is better. > > You're right. But: a client needs to do 1 for each time it tries to access > something whereas 2 would only be required once. 2 is more practical; are > there any other considerations which led you to the conclusion that 1 is > better? 2 is not more practical. Very few (probably no) web sites will have HTTPS enabled or disabled item by item. In reality, clients will try HTTPS, it will work, and it will continue to work for most or all of what they're doing at that site. When it fails, they'll fall back to HTTP and continue using it for the section of the site for which HTTPS failed. On the other hand, method 2 requires that they try to figure out when they can safely use the hint they were given before. When, exactly, is it that they cross over into another part of the site, which might not support HTTPS? If they get it wrong, they wind up with method 1 anyway. Apart from that, method 1 ensures that if they can use HTTPS, the entire client session (that is, all interactions between the client and the site in question) is protected by TLS. With method 2, the initial communication is in the open, unprotected, and the client has to switch to protection after getting the hint. That creates a window for snooping. Also, a MitM attacker can remove the HTTPS hints, preventing the client from ever even trying SSL. This looks like a bad solution in search of a problem. Barry
- [apps-discuss] Fwd: I-D Action: draft-nottingham-… Mark Nottingham
- Re: [apps-discuss] Fwd: I-D Action: draft-notting… Dzonatas Sol
- Re: [apps-discuss] Fwd: I-D Action: draft-notting… Mark Nottingham
- Re: [apps-discuss] Fwd: I-D Action: draft-notting… Dzonatas Sol
- Re: [apps-discuss] Fwd: I-D Action: draft-notting… Mark Nottingham
- Re: [apps-discuss] Fwd: I-D Action: draft-notting… Dzonatas Sol
- Re: [apps-discuss] Fwd: I-D Action: draft-notting… Dzonatas Sol
- Re: [apps-discuss] Fwd: I-D Action: draft-notting… Mykyta Yevstifeyev
- Re: [apps-discuss] I-D Action: draft-nottingham-h… Mark Nottingham
- Re: [apps-discuss] I-D Action: draft-nottingham-h… Mykyta Yevstifeyev
- Re: [apps-discuss] I-D Action: draft-nottingham-h… Peter Saint-Andre
- Re: [apps-discuss] I-D Action: draft-nottingham-h… Mykyta Yevstifeyev
- Re: [apps-discuss] I-D Action: draft-nottingham-h… Barry Leiba
- Re: [apps-discuss] I-D Action: draft-nottingham-h… Mykyta Yevstifeyev
- Re: [apps-discuss] I-D Action: draft-nottingham-h… Barry Leiba