[Cryptography] [cryptography] STARTTLS for HTTP
John Levine
johnl at iecc.com
Sat Aug 30 19:18:19 EDT 2014
>> What's the point? Anything that speaks HTTP also speaks HTTPS, so
>> there's no need for the "If you support it, I have TLS available."
>> Just use any of multitude of redirect mechanisms for your webserver to
>> kick people onto HTTPS.
>
>Some clients do not send SNI, so it's possible to send HTTP requests
>to the right server, but not HTTPS requests. ...
This doesn't strike me as a very compelling argument.
If people are using clients that don't do SNI, that's because they
haven't upgraded their browser software in a very long time. Surely
it would be no harder to get them to upgrade to SNI browsers, which
are widely available and interoperate with widely available SNI
servers, than to STARTTLS for HTTP which isn't implemented anywhere.
>If basic encryption was purely a transport layer matter (without
>authentication and security against active attackers), server
>operators could simply negotiate it with clients, just like they
>assign customer domains to IP addresses as they see fit today.
How is this functionally different from turning off the warning about
self-signed certificates, other than perhaps some obscure address bar
differences between http and https that non-geeks won't understand?
R's,
John
More information about the cryptography
mailing list