[148129] in cryptography@c2.net mail archive
Re: [Cryptography] HTTP should be deprecated.
daemon@ATHENA.MIT.EDU (Eric Mill)
Tue Nov 12 01:24:10 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <CAEw2jfwq+=FVpXO34xRZCeB2ogp9aA_1_TKas913mfLF1JUjPQ@mail.gmail.com>
From: Eric Mill <eric@konklone.com>
Date: Tue, 12 Nov 2013 00:25:22 -0500
To: Patrick Mylund Nielsen <cryptography@patrickmylund.com>
Cc: John Kelsey <crypto.jmk@gmail.com>, Russ Nelson <nelson@crynwr.com>,
"cryptography@metzdowd.com List" <cryptography@metzdowd.com>,
=?ISO-8859-1?Q?Lodewijk_andr=E9_de_la_porte?= <l@odewijk.nl>,
Greg <greg@kinostudios.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============2617520487921401279==
Content-Type: multipart/alternative; boundary=001a11c3a1bca5f4e804eaf41503
--001a11c3a1bca5f4e804eaf41503
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
A few things are pretty clear:
* Whether or not everything should be HTTPS, clearly more should be.
* HTTPS has lots of problems and doesn't solve everything.
* HTTPS breaks some kinds of caching, and doesn't affect others.
* CDNs charge waaayyyy more to serve your data as HTTPS. This affects the
behavior of institutions that use CDNs.
* Google and others are backing SPDY as the next HTTP 2.0, which would have
TLS on for all traffic. Google cares about performance and efficiency more
than anyone else on the Web, and they think TLS is just fine. SPDY/HTTP2 is
built to extend the Web with lots of different performance gains.
HTTP2 being all-TLS would effectively deprecate HTTP in favor of HTTPS. I
think this is where the Web is going, and we should look at whatever
downsides that would cause and start addressing them now.
On Mon, Nov 11, 2013 at 8:03 PM, Patrick Mylund Nielsen <
cryptography@patrickmylund.com> wrote:
> On Mon, Nov 11, 2013 at 7:45 PM, Lodewijk andr=E9 de la porte <l@odewijk.=
nl>wrote:
>
>> I'm sorry, no. There is information that is simply public. To intricatel=
y
>> confuse them through our petty plays with numbers would be nothing but
>> waste of time and all the peoples' resources.
>>
>
> I think you missed John's point, which was that, while the information ma=
y
> be something that is readily accessible to all, the fact that YOU are
> accessing it is interesting information. And that's true, but somebody is
> going to get that information whether or not the channel is encrypted.
>
>
>> Think of the caching disadvantages!
>>
>
> Which? It's very easy to cache stuff when HTTPS is used, either
> server-side or client-side (Cache-Control header.) It's just a transport.
>
> The fact that the CA model is a mess and browsers depend on it is a much
> bigger disadvantage.
>
> _______________________________________________
> The cryptography mailing list
> cryptography@metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>
--=20
konklone.com | @konklone <https://twitter.com/konklone>
--001a11c3a1bca5f4e804eaf41503
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">A few things are pretty clear:<div><br></div><div>* Whethe=
r or not everything should be HTTPS, clearly more should be.</div><div>* HT=
TPS has lots of problems and doesn't solve everything.</div><div>* HTTP=
S breaks some kinds of caching, and doesn't affect others.</div>
<div>* CDNs charge waaayyyy more to serve your data as HTTPS. This affects =
the behavior of institutions that use CDNs.</div><div>* Google and others a=
re backing SPDY as the next HTTP 2.0, which would have TLS on for all traff=
ic. Google cares about performance and efficiency more than anyone else on =
the Web, and they think TLS is just fine. SPDY/HTTP2 is built to extend the=
Web with lots of different performance gains.</div>
<div><br></div><div>HTTP2 being all-TLS would effectively deprecate HTTP in=
favor of HTTPS. I think this is where the Web is going, and we should look=
at whatever downsides that would cause and start addressing them now.</div=
>
</div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Mon,=
Nov 11, 2013 at 8:03 PM, Patrick Mylund Nielsen <span dir=3D"ltr"><<a h=
ref=3D"mailto:cryptography@patrickmylund.com" target=3D"_blank">cryptograph=
y@patrickmylund.com</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div class=3D"im"><div>On M=
on, Nov 11, 2013 at 7:45 PM, Lodewijk andr=E9 de la porte <span dir=3D"ltr"=
><<a href=3D"mailto:l@odewijk.nl" target=3D"_blank">l@odewijk.nl</a>>=
</span> wrote:<br>
</div></div><div class=3D"gmail_extra"><div class=3D"gmail_quote"><div clas=
s=3D"im">
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div class=3D"gmail_extra">=
I'm sorry, no. There is information that is simply public. To intricate=
ly confuse them through our petty plays with numbers would be nothing but w=
aste of time and all the peoples' resources.</div>
</div></blockquote><div><br></div></div><div>I think you missed John's =
point, which was that, while the information may be something that is readi=
ly accessible to all, the fact that YOU are accessing it is interesting inf=
ormation. And that's true, but somebody is going to get that informatio=
n whether or not the channel is encrypted.</div>
<div class=3D"im">
<div>=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;=
border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div class=3D=
"gmail_extra">Think of the caching disadvantages!</div></div></blockquote><=
div><br>
</div></div><div>Which? It's very easy to cache stuff when HTTPS is use=
d, either server-side or client-side (Cache-Control header.) It's just =
a transport.</div><div><br></div><div>The fact that the CA model is a mess =
and browsers depend on it is a much bigger disadvantage.</div>
</div></div></div>
<br>_______________________________________________<br>
The cryptography mailing list<br>
<a href=3D"mailto:cryptography@metzdowd.com">cryptography@metzdowd.com</a><=
br>
<a href=3D"http://www.metzdowd.com/mailman/listinfo/cryptography" target=3D=
"_blank">http://www.metzdowd.com/mailman/listinfo/cryptography</a><br></blo=
ckquote></div><br><br clear=3D"all"><div><br></div>-- <br><div dir=3D"ltr">=
<div>
<a href=3D"http://konklone.com" target=3D"_blank">konklone.com</a> | <a hre=
f=3D"https://twitter.com/konklone" target=3D"_blank">@konklone</a><br></div=
></div>
</div>
--001a11c3a1bca5f4e804eaf41503--
--===============2617520487921401279==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============2617520487921401279==--
