IETF Logo Mail Archive

Re: New Version Notification for draft-nottingham-http2-encryption-03.txt

William Chan (陈智昌) <willchan@chromium.org> Tue, 20 May 2014 22:56 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7ACC1A02D8 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 20 May 2014 15:56:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.73
X-Spam-Level:
X-Spam-Status: No, score=-6.73 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9mmN8VRNllaD for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 20 May 2014 15:56:50 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41F5B1A03AB for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 20 May 2014 15:56:49 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1WmsxJ-0005Pd-O7 for ietf-http-wg-dist@listhub.w3.org; Tue, 20 May 2014 22:56:21 +0000
Resent-Date: Tue, 20 May 2014 22:56:21 +0000
Resent-Message-Id: <E1WmsxJ-0005Pd-O7@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <willchan@google.com>) id 1Wmsx8-0005Oo-RP for ietf-http-wg@listhub.w3.org; Tue, 20 May 2014 22:56:10 +0000
Received: from mail-ve0-f175.google.com ([209.85.128.175]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <willchan@google.com>) id 1Wmsx7-0006a4-IH for ietf-http-wg@w3.org; Tue, 20 May 2014 22:56:10 +0000
Received: by mail-ve0-f175.google.com with SMTP id jw12so1484235veb.6 for <ietf-http-wg@w3.org>; Tue, 20 May 2014 15:55:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=c0fgl0vXYE2WAJDjP2ZEfVN9Snns2Om3WVkclc10URM=; b=KdygbF0TJkEgF2uA4qFAvYOj6i0XJqR8UWx44KaGtjWR27TaJb5dTGKEizFd8mdbb6 1cyqF0ITzxOc6oDmY6TjjaPkH3l0qKVIg3AARJq69qtubQG0MGbkU3RAOqO6LvD2awb9 Rxnuc8R5sRX2leitYlx5l4ITrcRk3CU0h1rIss9hl/x3LMWNcBIUZBvNyCoEfAOJ7Zuq PfWIPn5NGDh5TegsF/YfvAuoUViAlHrMjZwsyFMiQZ/5rS621yTZ21ZGGWgIujo5hbtA BwKwLpa+ca0ftaDXhOp5UyIoyj1R1YGqvj9SNIb/3tiDzQyh+Wd7BQ0BfWGOLCiecl7f FEFw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=c0fgl0vXYE2WAJDjP2ZEfVN9Snns2Om3WVkclc10URM=; b=duUWbxC+o97p3GRGMPupTGxNMaeRxIAn4j7pZGLwPkiPmn/aW3715ZqY/M5zF7qWvK Mx1Z+XURygp0mx/felZdjL//0JjyjPP9kmpmmfvdsDb+ix4uo9kQntAJwpSAhFleWB14 wchJIg7F5iWRQF0mDh6D9KlvCuXzayA9NiRaA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=c0fgl0vXYE2WAJDjP2ZEfVN9Snns2Om3WVkclc10URM=; b=EdC6bpaOG1IuFnZ5aFYnYynvkN3MBmAi8n+Qv2OksjRh1DVOw/a1IyJGrhHjZcJLRL mWQy/SSD3EwKAQZz1OXo+5gb/9Tmvdyzyh01GLp9M0Tu3NehFAoJLjg7YTntl/iUne2f geh05IgWOMrnlNNolXyojZPfnT6VaDHMxxlVOANFFu40oIHESGaIG4RSR9OyTH7wWkdJ 8QdRNOjqthSwlyyQjDkCl0H1PxQctDp7Glu2e1mhDwoqx6x24LjTMQoehh+YmqoQlZPx a41mu93ivMTeDNyOiRkatzaMiwQgXGPzusx8m83UcMFksuo0Ic+ZbpDdJ8azLzj/+NEl xCAg==
X-Gm-Message-State: ALoCoQnwTMVdEml0ct/+xvK9s4CjzRDCUbjHwdnMpra5UcF1utsMG4tWFimDJ9iX2XHy89QOCPIf
MIME-Version: 1.0
X-Received: by 10.58.25.3 with SMTP id y3mr3594523vef.48.1400626542901; Tue, 20 May 2014 15:55:42 -0700 (PDT)
Sender: willchan@google.com
Received: by 10.52.227.10 with HTTP; Tue, 20 May 2014 15:55:42 -0700 (PDT)
In-Reply-To: <op.xf6j5aubiw9drz@uranium.oslo.osa>
References: <20140520034054.10225.92036.idtracker@ietfa.amsl.com> <5905C797-A8E2-417B-94AB-589C174382BA@mnot.net> <CAPik8yb2P5RoGMLB=OtcbnpgZd-if9FpEp0HcLQcyVMtie4Yig@mail.gmail.com> <CABkgnnUJ+eDyjJteYj0pDQyy3k-j+DC2io71P-p8F=ufvDEUwg@mail.gmail.com> <op.xf6j5aubiw9drz@uranium.oslo.osa>
Date: Tue, 20 May 2014 15:55:42 -0700
X-Google-Sender-Auth: t_ItJIsiRVvyZ8qY-yNoZU-erG8
Message-ID: <CAA4WUYhXw--Ugjc2f2sxJWVq0y67p+NvWVog1TewWB9+1qGzsA@mail.gmail.com>
From: "William Chan (陈智昌)" <willchan@chromium.org>
To: Martin Nilsson <nilsson@opera.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a11c39a148da4f704f9dcc7a1"
Received-SPF: pass client-ip=209.85.128.175; envelope-from=willchan@google.com; helo=mail-ve0-f175.google.com
X-W3C-Hub-Spam-Status: No, score=-3.9
X-W3C-Hub-Spam-Report: AWL=-2.433, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1Wmsx7-0006a4-IH 0370ae0e22b5edf6a8ffb05f08cd4da6
X-Original-To: ietf-http-wg@w3.org
Subject: Re: New Version Notification for draft-nottingham-http2-encryption-03.txt
Archived-At: <http://www.w3.org/mid/CAA4WUYhXw--Ugjc2f2sxJWVq0y67p+NvWVog1TewWB9+1qGzsA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/23728
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Tue, May 20, 2014 at 3:45 PM, Martin Nilsson <nilsson@opera.com> wrote:

> On Tue, 20 May 2014 18:54:22 +0200, Martin Thomson <
> martin.thomson@gmail.com> wrote:
>
>
>> Maybe there's a case for further highlighting the distinction we want
>> to retain, at least at the broadest level of generality: https ==
>> secure, http == not.  That is the point of Section 6.1, but I might be
>> convinced that repetition of this is necessary.
>>
>>
> I assume that the set of ciphers you negotiate from would be the same here
> as for https. The performance difference isn't big, and you minimize your
> traffic analysis footprint by not having different TLS parameters for http
> and https URLs. Given this the only possible difference are the
> certificates, and they will be the same for http as https users of a
> specific site. So in practice there will be no difference between the
> actual connections for http and https in many cases. Should you still not
> show any security indicators in the UI?


Transport security is very different from web security. For example, only
some of the resources in a webpage may be opportunistically encrypted with
strong authentication. If there's active content like script that's loaded
without transport security, that can compromise the entire page. Pages
loaded using opportunistic encryption definitely do not deserve the same
security indicator as an https:// page. One might argue that they deserve
something better than nothing, but explaining this difference to users is
quite difficult already, so it seems inadvisable to further muddy the
distinction by introducing a middle ground security indicator.


>
>
> /Martin Nilsson
>
> --
> Using Opera's revolutionary email client: http://www.opera.com/mail/
>
>

v2.23.0 | Report a Bug | By Email