On 11/17/20 9:02 AM, Keith Moore wrote: > On 11/17/20 10:57 AM, Adam Roach wrote: > >>> Are those web browsers that are deprecating FTP also deprecating HTTP >>> without TLS? >> >> >> Yes. >> >> https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/ >> >> https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure > > Wow. That's incredibly arrogant and shortsighted. I cannot begin to > count, for instance, the number of Internet appliances out there (in > both consumer and industrial applications) that have http interfaces but > do not support https. Keith, you said something similar on the UTA WG list earlier this year when we talked about adding a work item to revise BCP 195 in the light of TLS 1.3. It would be helpful if you could explain your thinking in more detail. Are you concerned that web browsers which eventually deprecate HTTP without TLS will make it impossible for people to interact with certain deployed Internet appliances? Do note that when the time comes such web browsers will provide an escape hatch: they won't make it impossible to use HTTP without TLS, but they will force the user to make an explicit decision about setting up an unencrypted connection. Here again (as with Adam Roach's messages about the IETF's FTP service) it's a question of tradeoffs and cost/benefit analysis. Because the vast majority of web browsing activity involves interacting with sites on the open web, not with Internet appliances, it seems reasonable to protect users during such interactions to prevent a wide array of attacks and abuses, from password sniffing to eavesdropping to tracking and profiling. However, also giving users the ability to explicitly choose unencrypted connections in certain special circumstances seems to me to strike the right balance. Peter
