Re: Proposed Statement on "HTTPS everywhere for the IETF"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I support this policy.

I'd suggest that if it's felt that cleartext content needs to be available, it NOT be at <http://www.ietf.org/> (and similar); it should be on a different hostname; e.g., <http://www.cleartext.ietf.org/>. The http version of the URL should 301 to the corresponding https resource, and HSTS should be in use. 

Also, part of the reason for requiring HTTPS is that the Web platform is becoming more powerful, and so it's more vulnerable to a wide variety of attacks on the capabilities of the browser (e.g., camera, geolocation, local storage, etc.) — not just information leakage. See: <https://w3ctag.github.io/web-https/>.

Regards,


--
Mark Nottingham   https://www.mnot.net/






[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]