New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTP2 and http:// URIs on the "open" internet #314

Closed
mnot opened this Issue Nov 15, 2013 · 6 comments

Comments

Projects
None yet
4 participants
@mnot
Member

mnot commented Nov 15, 2013

A number of browser implementers have stated an intent to only implement HTTP/2 over TLS for traffic over the "open" internet.

They can achieve that today by only implementing HTTP/2 for https:// URIs, requiring site that wish to use the new protocol to redirect http:// URIs, possibly using HSTS to "pin" that upgrade.

As such, we do not necessarily need to specify this with requirements (e.g., with a MUST or MUST NOT); those sites that want to use the new protocol with these browsers will implement the pattern above.

However, to promote interoperability, we might want to give guiding language or even requirements to frame this. This issue is specifically for collecting proposals for such text.

@phluid61

This comment has been minimized.

Show comment
Hide comment
@phluid61

phluid61 Nov 15, 2013

Contributor

Just playing devil's advocate, but a simple option is to say nothing.

Contributor

phluid61 commented Nov 15, 2013

Just playing devil's advocate, but a simple option is to say nothing.

@mnot

This comment has been minimized.

Show comment
Hide comment
@mnot

mnot Nov 15, 2013

Member

Yep, that's definitely one option.

Member

mnot commented Nov 15, 2013

Yep, that's definitely one option.

@lanthaler

This comment has been minimized.

Show comment
Hide comment
@lanthaler

lanthaler Nov 15, 2013

Using https instead of http doesn't just change the bits on the wire but has also a number of other important side effects (at least) in browsers. For example referrers may not be sent anymore, information in form fields isn't stored anymore for autocompletion etc. etc. I think it would be very beneficial to still keep this distinction of sensitivity/confidentiality. Whether traffic to http URIs is then (optimistically) encrypted or not, doesn't really matter to the average end user. The different UX on the hand does.

lanthaler commented Nov 15, 2013

Using https instead of http doesn't just change the bits on the wire but has also a number of other important side effects (at least) in browsers. For example referrers may not be sent anymore, information in form fields isn't stored anymore for autocompletion etc. etc. I think it would be very beneficial to still keep this distinction of sensitivity/confidentiality. Whether traffic to http URIs is then (optimistically) encrypted or not, doesn't really matter to the average end user. The different UX on the hand does.

@michaelrsweet

This comment has been minimized.

Show comment
Hide comment
@michaelrsweet

michaelrsweet Nov 15, 2013

Since MITM https:// proxies exist and are widely deployed, https:// is no safer than http:// for open internet usage.

I think we need to revisit the existing HTTP/1.1 Upgrade header, which specifically talks about supporting future major versions of HTTP. Aside from addressing how HTTP/2.0 proxies would work/interoperate, it would seem to deal with the perceived reliability issues as well.

michaelrsweet commented Nov 15, 2013

Since MITM https:// proxies exist and are widely deployed, https:// is no safer than http:// for open internet usage.

I think we need to revisit the existing HTTP/1.1 Upgrade header, which specifically talks about supporting future major versions of HTTP. Aside from addressing how HTTP/2.0 proxies would work/interoperate, it would seem to deal with the perceived reliability issues as well.

@mnot

This comment has been minimized.

Show comment
Hide comment
@mnot

mnot Nov 17, 2013

Member

Gents,

Good to see the discussion, but it needs to take place on the list not here.

Thanks,

Member

mnot commented Nov 17, 2013

Gents,

Good to see the discussion, but it needs to take place on the list not here.

Thanks,

@mnot

This comment has been minimized.

Show comment
Hide comment
@mnot

mnot Jan 24, 2014

Member

Discussed in Zurich; the WG agreed that we will allow HTTP2 to be used with HTTP URIs, with or without TLS, without constraints from us.

Member

mnot commented Jan 24, 2014

Discussed in Zurich; the WG agreed that we will allow HTTP2 to be used with HTTP URIs, with or without TLS, without constraints from us.

@mnot mnot closed this Jan 24, 2014

@mnot mnot added the writeup label Dec 4, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment