Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
HTTP:// URIs over TLS #315
One of the approaches considered for improving security is opportunistic encryption.
Two variants have been discussed; "relaxed" where server authentication is not checked, and "strict", where it is. In discussion, it appears that there's a preference for just using HTTPS URLs over "strict", but there is still some interest in "relaxed."
There appears to be some implementer interest in this approach, but not yet readiness to implement, so this issue is on hold.
Note that opp encryption might also be applied to HTTP/1.1.
See a breakdown of terminology at:
Notes from Zurich:
HTTP URIs over TLS
a. In-band Hint (header) - optional to use.
b. DNS -- not now.
c. use existing 443 connection for defaulted ports - some interest (esp. in addition to other mechanisms); needs refusal. SETTINGS indicator for support; refusal error code (?)
d. encryption inside HTTP/2 -- no
e. speculative connection -- we will say nothing about this
i. Refusal (you got the endpoint wrong)
ii. implicit shortcut
See also: http://tools.ietf.org/html/draft-hoffman-uta-opportunistic-tls-00
https://tools.ietf.org/html/draft-nottingham-http2-encryption-03 is the latest proposal in this regard.