[Cryptography] [cryptography] STARTTLS for HTTP

[Florian Weimer]

* John Levine:

>>> What's the point?  Anything that speaks HTTP also speaks HTTPS, so
>>> there's no need for the "If you support it, I have TLS available."
>>> Just use any of multitude of redirect mechanisms for your webserver to
>>> kick people onto HTTPS.
>>
>>Some clients do not send SNI, so it's possible to send HTTP requests
>>to the right server, but not HTTPS requests.  ...
>
> This doesn't strike me as a very compelling argument.

For most web sites, it translates to a measurable loss of audience.
It's certainly significant enough that server operators won't feel
comfortable about locking out such browsers.

> If people are using clients that don't do SNI, that's because they
> haven't upgraded their browser software in a very long time.

This is not necessarily true, you can still buy vendor support for an
SNI-incapable browser.

> Surely it would be no harder to get them to upgrade to SNI browsers,
> which are widely available and interoperate with widely available
> SNI servers, than to STARTTLS for HTTP which isn't implemented
> anywhere.

That's true, but again, you wouldn't necessarily need to update
clients if it's strictly at the transport layer because the TLS could
be terminated on a proxy.

>>If basic encryption was purely a transport layer matter (without
>>authentication and security against active attackers), server
>>operators could simply negotiate it with clients, just like they
>>assign customer domains to IP addresses as they see fit today.
>
> How is this functionally different from turning off the warning
> about self-signed certificates, other than perhaps some obscure
> address bar differences between http and https that non-geeks won't
> understand?

Turning off certificate warnings for everything would disable
authentication for everyone, including those who have obtained proper
certificates.