[Cryptography] [cryptography] STARTTLS for HTTP
Viktor Dukhovni
cryptography at dukhovni.org
Tue Aug 19 09:21:40 EDT 2014
On Mon, Aug 18, 2014 at 11:09:41PM -0700, Ryan Carboni wrote:
> It would be secure against wifi eavesdropping. But worse it might instill a
> false sense of security.
Only if the marketers are allowed to misrepresent it that way. I
don't think it is a serious risk. The real issue is the latency
cost, STARTTLS introduces multiple extra round-trips, and would
have to happen on every request. A redirect to a port where TLS
is automatic is more performant, but then all clients need to do
TLS.
Instead of a redirect, in
http://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-00
an "alternative service advertisement" is used:
http://tools.ietf.org/html/draft-ietf-httpbis-alt-svc-01
which is optionally employed by suitably capable clients.
--
Viktor.
More information about the cryptography
mailing list