HTTP 2.0 May Be SSL-Only 320
An anonymous reader writes "In an email to the HTTP working group, Mark Nottingham laid out the three top proposals about how HTTP 2.0 will handle encryption. The frontrunner right now is this: 'HTTP/2 to only be used with https:// URIs on the "open" Internet. http:// URIs would continue to use HTTP/1.' This isn't set in stone yet, but Nottingham said they will 'discuss formalising this with suitable requirements to encourage interoperability.' There appears to be support from browser vendors; he says they have been 'among those most strongly advocating more use of encryption.' The big goal here is to increase the use of encryption on the open web. One big point in favor of this plan is that if it doesn't work well (i.e., if adoption is poor), then they can add support for opportunistic encryption later. Going from opportunistic to mandatory encryption would be a much harder task. Nottingham adds, 'To be clear — we will still define how to use HTTP/2.0 with http:// URIs, because in some use cases, an implementer may make an informed choice to use the protocol without encryption. However, for the common case — browsing the open Web — you'll need to use https:// URIs and if you want to use the newest version of HTTP.'"
StartSSL (Score:5, Informative)
Re:Usability issue, not hard technical one... (Score:4, Informative)
Normal people know that there's a difference between HTTP and HTTPS?
Re:Still extortion... (Score:5, Informative)
Unless I run my own DNS, which is far easier than running a CA.
Not if you are using DNSSEC, it isn't. You talk about running your own DNS under those conditions as though a self-signed cert doesn't require a CA; it does. There's no such thing as certs without a CA...
DANE (DNS-based Authentication of Named Entities) RFC6698 does NOT require the use of a recognized CA, although it does not disallow it. There are four "usage" types for certificates (excerpts from the RFC follows):
Both Certificate usage 2 and Certificate usage 3 allow a domain's administrator to issue a certificate without requiring the involvement of a third party CA. For more information on DANE, refer to either rfc6698 [ietf.org] or the the wikipedia article [wikipedia.org].
Re:Only if I can use self signed certs (Score:4, Informative)
You can check if the certificate is the same one the site produced last time.
Or go through a third party that confirms it is seeing the same certificate you are seeing.
Obviously not foolproof but these both approach the current security of the authority-signing.
Re:Only if I can use self signed certs (Score:4, Informative)
Check if it is the same certificate you saw when you visited the site the last time.
Go through a third party (perhaps one using a signed certificate) and check that you both see the same certificate.
Both of these will defeat a lot of man-in-the-middle attacks.
Re:Only if I can use self signed certs (Score:2, Informative)
I tried that - then discovered that MS Exchange* will NOT do ActiveSync properly to some devices unless the cert is proper trusted one.
Bloody annoying.
If the world wants https-everywhere, then a) free trusted signed certs must be available for everyone (like StartSSL offers, but with wildcard certs as well), and b) the ability to attach different certs to virtual hosts on the SAME ip must be enabled (IIS on Windows can't do this - can Apache/non-MS-Webservers do it?)
(*And no, I wont swap to a Linux/SendMail/Whatever solution, as I'm a professional MS consultant, so have to eat my own dog food)
-Jar