* Tom Ritter: >> I've been watching various efforts at widespread opportunistic encryption, >> like TCPINC and STARTTLS in SMTP. It's made me wonder why it isn't used for >> HTTP. > > What's the point? Anything that speaks HTTP also speaks HTTPS, so > there's no need for the "If you support it, I have TLS available." > Just use any of multitude of redirect mechanisms for your webserver to > kick people onto HTTPS.
Some clients do not send SNI, so it's possible to send HTTP requests to the right server, but not HTTPS requests. You also have to go through the hassle of obtaining and renewing certificates. Here, "you" means the person uploading content, the server operator isn't supposed to get certificates without your explicit consent (and collecting an additional fee). If basic encryption was purely a transport layer matter (without authentication and security against active attackers), server operators could simply negotiate it with clients, just like they assign customer domains to IP addresses as they see fit today. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
