Am 15.11.13 13:55, schrieb Iljitsch van Beijnum:
That aside, just saying "you MUST do TLS with HTTP/2.0" doesn't buy much security in a world where CAs are not trustworthy, people still use RC4/MD5, use woefully short keys for otherwise strong algorithms, browsers have effectively trained people to always click "visit anyway" and so on.
That's a common argument I hear. We cannot do "X" because there is also this security issue with "Y". With that approach you will never get anything done.
For that reason our approach to improve the design of new protocols (like HTTP2) and at the same time try to improve the CA eco-system as well. In fact, we even have a work item on that topic within the recently created IAB security program, which I happen to lead.
With security, the perfect tends to be the enemy of the good.
With the current state of security of the Internet, as we clearly get demonstrated right now, I don't think we are talking about the "perfect" here at all.
Ciao Hannes