It would be secure against wifi eavesdropping. But worse it might instill a false sense of security.
On Mon, Aug 18, 2014 at 9:29 PM, Tony Arcieri <[email protected]> wrote: > Anyone know why this hasn't gained adoption? > > http://tools.ietf.org/html/rfc2817 > > I've been watching various efforts at widespread opportunistic encryption, > like TCPINC and STARTTLS in SMTP. It's made me wonder why it isn't used for > HTTP. > > Opportunistic encryption could be completely transparent. We don't need > any external facing UI changes for users (although perhaps plaintext HTTP > on port 80 could show a broken lock). Instead, if the server and client > mutually support it, TLS with an unauthenticated key exchange is used. > > It seems most modern web browsers and web servers are built with TLS > support. Why not always flip it on if it's available on both sides, even if > it's trivially MitMed? > > -- > Tony Arcieri > > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography > >
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
