Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP2 and http:// URIs on the "open" internet #314

Closed
mnot opened this issue Nov 15, 2013 · 6 comments
Closed

HTTP2 and http:// URIs on the "open" internet #314

mnot opened this issue Nov 15, 2013 · 6 comments
Labels
design security writeup

Comments

@mnot
Copy link
Member

mnot commented Nov 15, 2013

A number of browser implementers have stated an intent to only implement HTTP/2 over TLS for traffic over the "open" internet.

They can achieve that today by only implementing HTTP/2 for https:// URIs, requiring site that wish to use the new protocol to redirect http:// URIs, possibly using HSTS to "pin" that upgrade.

As such, we do not necessarily need to specify this with requirements (e.g., with a MUST or MUST NOT); those sites that want to use the new protocol with these browsers will implement the pattern above.

However, to promote interoperability, we might want to give guiding language or even requirements to frame this. This issue is specifically for collecting proposals for such text.
@mnot mnot mentioned this issue Nov 15, 2013
Closed
@phluid61
Copy link
Contributor

Just playing devil's advocate, but a simple option is to say nothing.

@mnot
Copy link
Member Author

mnot commented Nov 15, 2013

Yep, that's definitely one option.

@lanthaler
Copy link

Using https instead of http doesn't just change the bits on the wire but has also a number of other important side effects (at least) in browsers. For example referrers may not be sent anymore, information in form fields isn't stored anymore for autocompletion etc. etc. I think it would be very beneficial to still keep this distinction of sensitivity/confidentiality. Whether traffic to http URIs is then (optimistically) encrypted or not, doesn't really matter to the average end user. The different UX on the hand does.

@michaelrsweet
Copy link

Since MITM https:// proxies exist and are widely deployed, https:// is no safer than http:// for open internet usage.

I think we need to revisit the existing HTTP/1.1 Upgrade header, which specifically talks about supporting future major versions of HTTP. Aside from addressing how HTTP/2.0 proxies would work/interoperate, it would seem to deal with the perceived reliability issues as well.

@mnot
Copy link
Member Author

mnot commented Nov 17, 2013

Gents,

Good to see the discussion, but it needs to take place on the list not here.

Thanks,

@mnot
Copy link
Member Author

mnot commented Jan 24, 2014

Discussed in Zurich; the WG agreed that we will allow HTTP2 to be used with HTTP URIs, with or without TLS, without constraints from us.

@mnot mnot closed this as completed Jan 24, 2014
@mnot mnot added the writeup label Dec 4, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
design security writeup
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mnot @phluid61 @lanthaler @michaelrsweet