On Fri, Aug 22, 2014 at 12:16:22PM -0700, Tim Bray wrote: > From: "Tim Berners-Lee" <timbl@xxxxxx> > > [...] > > Here is a proposal, that we need this convention: > > If two URIs differ only in the 's' of 'https:', then they may > never be used for different things. > > [...] > > What this means is that a client given an http: URL in a reference is > always free to try out the HTTPS, just adding an S, and use result if the > is successful. It too late for that though: all too often the two resources are not the same. Though a server could advertise that they are the same, but the client would first have to try HTTPS to find out, increasing latency when the server doesn't (which would be the common case at first). IIUC the HTTP/2.0 folks are working on one transport to access both kinds of resources. And if we apply the opportunistic security pattern to this we should be able to get encrypted security (even if often unauthenticated) when using http URIs. > Or do we have to only build serious internet applications as browser > extensions or native apps? I agree with the idea though, that we should apply opportunistic security when we would otherwise just use plaintext! > I suspect has been discussed in many fora -- apologies if the issue is > already noted and resolved, and do point to where it has Please look at the opportunistic security (OS) effort currently under IETF LC, draft-dukhovni-opportunistic-security. Nico --