[Cryptography] [cryptography] STARTTLS for HTTP

Viktor Dukhovni cryptography at dukhovni.org
Tue Aug 19 09:21:40 EDT 2014


On Mon, Aug 18, 2014 at 11:09:41PM -0700, Ryan Carboni wrote:

> It would be secure against wifi eavesdropping. But worse it might instill a
> false sense of security.

Only if the marketers are allowed to misrepresent it that way.  I
don't think it is a serious risk.  The real issue is the latency
cost, STARTTLS introduces multiple extra round-trips, and would
have to happen on every request.  A redirect to a port where TLS
is automatic is more performant, but then all clients need to do
TLS.

Instead of a redirect, in 

    http://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-00

an "alternative service advertisement" is used:

    http://tools.ietf.org/html/draft-ietf-httpbis-alt-svc-01

which is optionally employed by suitably capable clients.

-- 
	Viktor.


More information about the cryptography mailing list