Re: 2 questions

Cory Benfield <> Mon, 30 March 2015 08:30 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 16A741A923D for <>; Mon, 30 Mar 2015 01:30:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.89
X-Spam-Status: No, score=-4.89 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Mj-OPASmtTfH for <>; Mon, 30 Mar 2015 01:29:58 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B22461A9235 for <>; Mon, 30 Mar 2015 01:29:58 -0700 (PDT)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1YcV2Q-0003hb-Fe for; Mon, 30 Mar 2015 08:27:14 +0000
Resent-Date: Mon, 30 Mar 2015 08:27:14 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtp (Exim 4.80) (envelope-from <>) id 1YcV2G-0003g1-NQ for; Mon, 30 Mar 2015 08:27:04 +0000
Received: from ([]) by with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <>) id 1YcV25-0007gV-RR for; Mon, 30 Mar 2015 08:27:04 +0000
Received: by obbps3 with SMTP id ps3so2119429obb.3 for <>; Mon, 30 Mar 2015 01:26:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=ceKo8s8rzJHGEcVcsYCWMSaLTXZ/dI/wPeuTE3aypmE=; b=kS6E6yijwA/z0iaV6nqz5aUv01ykw/8/uFSYe75SR8oahRZeLDLmEXqwfxPEN0O8SG aVsRjQQEk0+OW+L+LLi46N0m358hIsj4SqYzZmNne9aEKMkRIjH8Ljy01zwAZjOaZhkT EQ+pAvlphO4gQyv/noRjMaMJV0+Z1A7Rt9/uMB86Zr5gKJnblaSnGVijyGsmdphyL5KA 8cESZ/eD+nm7yul1QLmuIotAOA3EaoPSAKod3O+DJZc52lBg0YG4wKKk9Q3qasXLVzRu iB3HuLuEmaxQPWKUyRzrJc6WTHMddmxG5CTnTTEtQXS4L/F3I/pf7Z2cILz3+nZkmIqq BY7w==
X-Gm-Message-State: ALoCoQlnnhTQyLwJ0gIpeFdwjsfH+ZttwsdBKfatklj7bsKHQ7UZYhJZxRCxhRcsWnOgrD5mZH4o
MIME-Version: 1.0
X-Received: by with SMTP id de20mr25798995obb.84.1427703987456; Mon, 30 Mar 2015 01:26:27 -0700 (PDT)
Received: by with HTTP; Mon, 30 Mar 2015 01:26:27 -0700 (PDT)
X-Originating-IP: [2620:104:4001:73:29d0:6728:10ab:7293]
In-Reply-To: <em0a95d842-8dd6-4f76-b091-f920acfe1977@bodybag>
References: <> <em0a95d842-8dd6-4f76-b091-f920acfe1977@bodybag>
Date: Mon, 30 Mar 2015 09:26:27 +0100
Message-ID: <>
From: Cory Benfield <>
To: Adrien de Croy <>
Cc: Yoav Nir <>, Glen <>, "" <>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-5.3
X-W3C-Hub-Spam-Report: AWL=-0.675, BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1YcV25-0007gV-RR 6da06ef1728a8edce30976e13866fc91
Subject: Re: 2 questions
Archived-At: <>
X-Mailing-List: <> archive/latest/29067
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On 30 March 2015 at 04:15, Adrien de Croy <> wrote:
> I can buy that 1/3 of web requests use TLS.
> however that does not apply to 1/3 of web sites using TLS.  Probably just FB
> and google alone account for 1/3 of web requests.
> There are surely hundreds of millions of sites.  That's at least tens of
> millions of administrators who will need to take on the burden of making TLS
> work on their site.  Many will not see any point in this.  Pretty much all
> the sites that felt a need to deploy TLS will have already done so, and the
> others will not thank the IETF or google or the chromium project for
> attempting to force costs on them.

No-one is being *forced* to do anything. HTTP/1.1 is not going away.
If you dig back through the archives of this working group you'll
repeatedly find statements from almost all camps that HTTP/1.1 will be
around for the foreseeable future. Website owners that cannot set up
TLS will still find plenty of support for plaintext HTTP.

In this case I think Google and Firefox are probably right: HTTP/2 in
plaintext is likely to break frequently and mysteriously. This is
mostly because of intermediaries that believe they understand HTTP,
but don't do it very well (HAProxy is a good example I can think off
of the top of my head). These intermediaries are usually transparent
to HTTP/1.1 users, but they will likely break HTTP/2 traffic over port
80. Chrome and Firefox are therefore acting in the interest of both
users and operators when they forbid this kind of traffic. They're
saving your users from thinking your website is broken because their
ISP deployed some terrible intermediate 'service' that mangles HTTP/2
(consider Comcast's injection of HTTP headers, for example).

At this point in time, my HTTP/2 implementation does not support
plaintext HTTP/2. I will add support for it in the next few weeks, but
I do not expect it to work in the vast majority of cases, and will be
emitting warning logs to that effect.