New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make the intro to http2-encryption clearer about the scope #301
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -48,7 +48,7 @@ informative: | |
|
||
--- abstract | ||
|
||
This document describes how `http` URIs can be accessed using Transport Layer Security (TLS) to | ||
This document describes how `http` URIs can be accessed using Transport Layer Security (TLS) in HTTP/2 to | ||
mitigate pervasive monitoring attacks. | ||
|
||
--- note_Note_to_Readers | ||
|
@@ -64,16 +64,18 @@ for this draft can be found at <https://github.com/httpwg/http-extensions/labels | |
# Introduction | ||
|
||
This document describes a use of HTTP Alternative Services {{RFC7838}} to decouple | ||
the URI scheme from the use and configuration of underlying encryption, allowing a `http` URI | ||
{{RFC7230}} to be accessed using Transport Layer Security (TLS) {{RFC5246}} opportunistically. | ||
|
||
Serving `https` URIs requires avoiding Mixed Content {{W3C.CR-mixed-content-20160802}}, which is | ||
problematic in many deployments. This document describes a usage model whereby sites can serve | ||
`http` URIs over TLS, thereby avoiding these issues, while still providing protection against | ||
the URI scheme from the use and configuration of underlying encryption. | ||
It allows HTTP/2 {{RFC7540}} to access a `http` URI | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is worded oddly. Suggest "It allows a There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. "a" or "an" for "http"? |
||
{{RFC7230}} using Transport Layer Security (TLS) {{RFC5246}} | ||
with Opportunistic Security {{RFC7435}}. | ||
|
||
This document describes a usage model whereby sites can serve | ||
`http` URIs over TLS, thereby avoiding the problem of serving | ||
Mixed Content (describe in {{W3C.CR-mixed-content-20160802}}) while still providing protection against | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. described |
||
passive attacks. | ||
|
||
Opportunistic Security {{RFC7435}} does not provide the same guarantees as using TLS with `https` | ||
URIs; it is vulnerable to active attacks, and does not change the security context of the | ||
Opportunistic Security does not provide the same guarantees as using TLS with `https` | ||
URIs; Opportunistic Security is vulnerable to active attacks, and does not change the security context of the | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think this would read more clearly if it were just "...URIs, because it is vulnerable..." There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. WFM |
||
connection. Normally, users will not be able to tell that it is in use (i.e., there will be no | ||
"lock icon"). | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in -> and