On 8/19/2014 12:29 AM, Tony Arcieri wrote:
Anyone know why this hasn't gained adoption?
http://tools.ietf.org/html/rfc2817
I've been watching various efforts at widespread opportunistic
encryption, like TCPINC and STARTTLS in SMTP. It's made me wonder why
it isn't used for HTTP.
Opportunistic encryption could be completely transparent. We don't
need any external facing UI changes for users (although perhaps
plaintext HTTP on port 80 could show a broken lock). Instead, if the
server and client mutually support it, TLS with an unauthenticated key
exchange is used.
It seems most modern web browsers and web servers are built with TLS
support. Why not always flip it on if it's available on both sides,
even if it's trivially MitMed?
--
Tony Arcieri
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
I think section 8.1 answers your question. People will most likely feel
that the risks make this mechanism not worth it.
--
Kevin
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
