[Cryptography] [cryptography] STARTTLS for HTTP

Tom Ritter tom at ritter.vg
Thu Sep 4 19:19:58 EDT 2014


On 3 September 2014 16:15, Tony Arcieri <bascule at gmail.com> wrote:
> STARTTLS for HTTP isn't for people who currently offer HTTPS content. It's
> for people who don't want to pay for an SSL certificate and/or don't have
> the time or knowledge to configure them for each and every site.
>
> They could, at a baseline, still provide resistance to passive monitoring
> with practically no configuration beyond flipping it on.
>
> It should still identify and operate as if it were http:// from the
> browser's perspective, with perhaps a subtle indication to the user that
> their connection is slightly more secure, or nothing at all, e.g. plaintext
> HTTP could show a broken lock.

I took it to mean something different, literally to mean "Start
talking [full] TLS to me."  Which is what the draft in your initial
email seems to indicate, as it seems to require cert validation.
That's why I countered with 'What's the point of this draft? Just send
a redirect.'

Opportunistic encryption for HTTP is good, and I support it.  It's
being worked on in the IETF, too, so it seems like it will at least be
standardized.  Just not under the moniker 'STARTTLS for HTTP'.  :)

-tom


More information about the cryptography mailing list