[Cryptography] [cryptography] STARTTLS for HTTP
Florian Weimer
fw at deneb.enyo.de
Sun Aug 31 16:26:31 EDT 2014
* Tony Arcieri:
> In this model, we have a mode for unauthenticated encryption where an
> unverified cert is OK. It probably shouldn't reflect anything to the user
> and give the same "white" bar as normal plaintext HTTP. But it does add
> resilience against passive, blanket surveillance.
>
> https certificate verification UX "research" (since the warnings given to
> users seem to constantly be in flux) can continue as-is and unabated by the
> addition of STARTTLS for HTTP. It should be completely transparent (except
> to the passive surveillers)
Correct. Secure (HTTPS-only) cookies wouldn't be sent, either, and
whatever else is enabled by https:// mode right now would remain
disabled, too.
More information about the cryptography
mailing list