Re: Fwd: The ability to automatically upgrade a reference to HTTPS from HTTP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Aug 22, 2014 at 12:16:22PM -0700, Tim Bray wrote:
> From: "Tim Berners-Lee" <timbl@xxxxxx>
> 
> [...]
> 
> Here is a proposal, that we need this convention:
> 
>          If two URIs differ only in the 's' of 'https:', then they may
> never be used for different things.
>
> [...]
>
> What this means is that a client given an http:  URL in a reference is
> always free to try out the HTTPS, just adding an S, and use result if the
>  is successful.

It too late for that though: all too often the two resources are not the
same.

Though a server could advertise that they are the same, but the client
would first have to try HTTPS to find out, increasing latency when the
server doesn't (which would be the common case at first).

IIUC the HTTP/2.0 folks are working on one transport to access both
kinds of resources.  And if we apply the opportunistic security pattern
to this we should be able to get encrypted security (even if often
unauthenticated) when using http URIs.

> Or do we have to only build serious internet applications as browser
> extensions or native apps?

I agree with the idea though, that we should apply opportunistic
security when we would otherwise just use plaintext!

> I suspect has been discussed in many fora -- apologies if the issue is
> already noted and resolved, and do point to where it has

Please look at the opportunistic security (OS) effort currently under
IETF LC, draft-dukhovni-opportunistic-security.

Nico
-- 





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]