On Mon, Sep 15, 2014 at 9:08 AM, Anne van Kesteren <ann...@annevk.nl> wrote:
> On Mon, Sep 15, 2014 at 5:59 PM, Richard Barnes <rbar...@mozilla.com> > wrote: > > On Sep 15, 2014, at 5:11 AM, Henri Sivonen <hsivo...@hsivonen.fi> wrote: > >> I think the primary way for making the experience better for users > >> currently accessing http sites should be getting the sites to switch > >> to https so that subsequently people accessing those sites would be > >> accessing https sites. That way, the user experience not only benefits > >> from HTTP/2 performance but also from the absence of ISP-injected ads > >> or other MITMing. > > > > "Just turn on HTTPS" is not as trivial as you seem to think. For > example, mixed content blocking means that you can't upgrade until all of > your external dependencies have too. > > I don't think anyone is suggesting it's trivial. We're saying that a) > it's necessary if you want to prevent MITM, ad-injection, etc. and b) > it's required for new features such as service workers (which in turn > are required if you want to make your site work offline). > > At the moment setting up TLS is quite a bit of hassle and requires > dealing with CAs to get a certificate. But given that there's no way > around TLS becoming the bottom line for interesting new features in > browsers, we need to start looking into how we can simplify that > process. > > Looking into how we can prolong the non-TLS infrastructure should have > much less priority I think. I'm not really sure what's being debated here. There seem to be several questions, each of which has both a standards and implementation answer. - Should there be HTTP2 w/o authenticated TLS (i.e., HTTPS)? [Standards answer: Yes. Chrome answer: no. Firefox answer: no HTTP w/o TLS but support opportunistic unauthenticated TLS.] - Should there be new Web features on non-HTTPS origins? Specifically. * ServiceWorkers [Standards answer: HTTPS only, Chrome/Firefox answer: same] * WebCrypto [Standards answer: yes, Google answer: No, Firefox yes.] * gUM [Standards answer: yes, Chrome/Firefox answer: same] Generally, I think it's useful to distinguish between settings where TLS is especially necessary for security reasons (e.g., gUM persistent permissions) and those where it's merely desirable as part of a general raising of the security the bar (arguably gUM). It seems like much of the debate about WebCrypto is where it falls in this taxonomy. > Google seems to have the right trade off > and the "IETF consensus" seems to be unaware of what is happening > elsewhere. I don't think it's clear that Google has a general position, seeing as they are doing gUM without HTTPS. I'd also be interested in what is happening elsewhere that you think that the IETF consensus is unaware of. Maybe I too am unaware of it. Perhaps you could enlighten me? -Ekr _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
