[Cryptography] [cryptography] STARTTLS for HTTP
Tony Arcieri
bascule at gmail.com
Wed Sep 3 17:15:23 EDT 2014
On Wed, Sep 3, 2014 at 1:36 PM, Florian Weimer <fw at deneb.enyo.de> wrote:
> This doesn't work because it's not just the UI indicators. The change
> from https:// to http:// alters browser and web application behavior
> as well. That's why it's preferable to make the change at a lower
> layer, so tht the http:// scheme can be reduced.
STARTTLS for HTTP isn't for people who currently offer HTTPS content. It's
for people who don't want to pay for an SSL certificate and/or don't have
the time or knowledge to configure them for each and every site.
They could, at a baseline, still provide resistance to passive monitoring
with practically no configuration beyond flipping it on.
It should still identify and operate as if it were http:// from the
browser's perspective, with perhaps a subtle indication to the user that
their connection is slightly more secure, or nothing at all, e.g. plaintext
HTTP could show a broken lock.
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140903/a9f7dcae/attachment.html>
More information about the cryptography
mailing list