[Cryptography] [cryptography] STARTTLS for HTTP
Florian Weimer
fw at deneb.enyo.de
Wed Sep 3 16:36:53 EDT 2014
* John Levine:
>>That's true, but again, you wouldn't necessarily need to update
>>clients if it's strictly at the transport layer because the TLS could
>>be terminated on a proxy.
>
> If we get to stick proxies in the middle, we could set up a proxy that
> got an incoming http request and attempted to proxy it to an https
> request and threw away any certificate warnings. How would that be
> functionally different?
There's currently no way for a sever operator to state that http://
and https:// offer the same content.
>>Turning off certificate warnings for everything would disable
>>authentication for everyone, including those who have obtained proper
>>certificates.
>
> Then twiddle the warnings so they just turn off the lock icon rather
> than putting up a big scary page that 99% of users click through
> anyway.
This doesn't work because it's not just the UI indicators. The change
from https:// to http:// alters browser and web application behavior
as well. That's why it's preferable to make the change at a lower
layer, so tht the http:// scheme can be reduced.
More information about the cryptography
mailing list