IETF Logo Mail Archive

Re: New Version Notification for draft-nottingham-http2-encryption-03.txt

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 20 May 2014 22:52 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 862B91A019E for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 20 May 2014 15:52:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.953
X-Spam-Level:
X-Spam-Status: No, score=-6.953 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_44=0.6, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zOyY4-YaSoYs for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 20 May 2014 15:52:46 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 465861A0186 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 20 May 2014 15:52:46 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1WmstR-0003hR-8S for ietf-http-wg-dist@listhub.w3.org; Tue, 20 May 2014 22:52:21 +0000
Resent-Date: Tue, 20 May 2014 22:52:21 +0000
Resent-Message-Id: <E1WmstR-0003hR-8S@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <stephen.farrell@cs.tcd.ie>) id 1WmstE-0003gL-CA for ietf-http-wg@listhub.w3.org; Tue, 20 May 2014 22:52:08 +0000
Received: from mercury.scss.tcd.ie ([134.226.56.6]) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <stephen.farrell@cs.tcd.ie>) id 1WmstD-0005UI-I0 for ietf-http-wg@w3.org; Tue, 20 May 2014 22:52:08 +0000
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id AAD89BE62; Tue, 20 May 2014 23:51:46 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4K8d-xQv-8An; Tue, 20 May 2014 23:51:45 +0100 (IST)
Received: from [10.87.48.12] (unknown [86.46.25.179]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id BFC4FBE61; Tue, 20 May 2014 23:51:44 +0100 (IST)
Message-ID: <537BDC7E.6060706@cs.tcd.ie>
Date: Tue, 20 May 2014 23:51:42 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Martin Nilsson <nilsson@opera.com>, ietf-http-wg@w3.org
References: <20140520034054.10225.92036.idtracker@ietfa.amsl.com> <5905C797-A8E2-417B-94AB-589C174382BA@mnot.net> <CAPik8yb2P5RoGMLB=OtcbnpgZd-if9FpEp0HcLQcyVMtie4Yig@mail.gmail.com> <CABkgnnUJ+eDyjJteYj0pDQyy3k-j+DC2io71P-p8F=ufvDEUwg@mail.gmail.com> <op.xf6j5aubiw9drz@uranium.oslo.osa>
In-Reply-To: <op.xf6j5aubiw9drz@uranium.oslo.osa>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Received-SPF: none client-ip=134.226.56.6; envelope-from=stephen.farrell@cs.tcd.ie; helo=mercury.scss.tcd.ie
X-W3C-Hub-Spam-Status: No, score=-3.8
X-W3C-Hub-Spam-Report: AWL=-3.125, RP_MATCHES_RCVD=-0.651
X-W3C-Scan-Sig: maggie.w3.org 1WmstD-0005UI-I0 59766adfb602f7256ba4b72743e281b4
X-Original-To: ietf-http-wg@w3.org
Subject: Re: New Version Notification for draft-nottingham-http2-encryption-03.txt
Archived-At: <http://www.w3.org/mid/537BDC7E.6060706@cs.tcd.ie>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/23727
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>


On 20/05/14 23:45, Martin Nilsson wrote:
> On Tue, 20 May 2014 18:54:22 +0200, Martin Thomson
> <martin.thomson@gmail.com> wrote:
> 
>>
>> Maybe there's a case for further highlighting the distinction we want
>> to retain, at least at the broadest level of generality: https ==
>> secure, http == not.  That is the point of Section 6.1, but I might be
>> convinced that repetition of this is necessary.
>>
> 
> I assume that the set of ciphers you negotiate from would be the same
> here as for https. The performance difference isn't big, and you
> minimize your traffic analysis footprint by not having different TLS
> parameters for http and https URLs. Given this the only possible
> difference are the certificates, and they will be the same for http as
> https users of a specific site. So in practice there will be no
> difference between the actual connections for http and https in many
> cases. Should you still not show any security indicators in the UI?

Yes. If opportunistic, then e.g. it'd be ok to defer cert validation
thus being partly MiTM'able in some cases for some (maybe short) period.
But a short period is just fine for some bad actors.

S.


> 
> /Martin Nilsson
>

v2.23.0 | Report a Bug | By Email