Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP:// URIs over TLS #315

Closed
mnot opened this issue Nov 15, 2013 · 12 comments
Closed

HTTP:// URIs over TLS #315

mnot opened this issue Nov 15, 2013 · 12 comments
Labels
design security writeup

Comments

@mnot
Copy link
Member

mnot commented Nov 15, 2013

One of the approaches considered for improving security is opportunistic encryption.

Two variants have been discussed; "relaxed" where server authentication is not checked, and "strict", where it is. In discussion, it appears that there's a preference for just using HTTPS URLs over "strict", but there is still some interest in "relaxed."

There appears to be some implementer interest in this approach, but not yet readiness to implement, so this issue is on hold.

Note that opp encryption might also be applied to HTTP/1.1.
@mnot mnot mentioned this issue Nov 15, 2013
Closed
@mnot
Copy link
Member Author

mnot commented Nov 21, 2013

See a breakdown of terminology at:
https://github.com/http2/http2-spec/wiki/Encryption-Terminology

@paulehoffman
Copy link

The description of this topic still only lists draft-nottingham-http2-encryption as an approach. Please add draft-hoffman-httpbis-minimal-unauth-enc, which does opportunistic encryption in a very different way than draft-nottingham-http2-encryption.

@mnot
Copy link
Member Author

mnot commented Jan 24, 2014

Discussed in Zurich; further discussion in London; mark and patrick to revise draft and experiment. However, this will not block HTTP/2 unless delay is minimal.

@mnot
Copy link
Member Author

mnot commented Jan 24, 2014

Notes from Zurich:

HTTP URIs over TLS

  1. no

Authentication

  1. unauthenticated
  2. authenticated == HTTPS
  3. not WebPKI-authenticated (TACK? DANE? ETC. ETC.) -- NOT US

Discovery

a. In-band Hint (header) - optional to use.

b. DNS -- not now.
I. SRV
II. TXT
III. SVCINFO
IV. HASTLS

c. use existing 443 connection for defaulted ports - some interest (esp. in addition to other mechanisms); needs refusal. SETTINGS indicator for support; refusal error code (?)

d. encryption inside HTTP/2 -- no

e. speculative connection -- we will say nothing about this

Add-ons

i. Refusal (you got the endpoint wrong)

ii. implicit shortcut

iii. pinning

@mnot
Copy link
Member Author

mnot commented Feb 19, 2014

See also:
https://tools.ietf.org/html/draft-miller-http-unauth-tls

@paulehoffman
Copy link

It would be good if the community could acknowledge the differences between opportunistic (doing something good that wasn't asked for) and unauthenticated (a security state).

--Paul Hoffman

@mnot
Copy link
Member Author

mnot commented Mar 5, 2014

Discussed in London; support for documenting this.

@mnot mnot added this to the Fourth Implementation Draft milestone Mar 5, 2014
@enygren
Copy link

enygren commented Mar 8, 2014

See also: http://tools.ietf.org/html/draft-hoffman-uta-opportunistic-tls-00
which was discussed in UTA.

@mcilvena
Copy link

@mnot What are the fundamental difference between opportunistic TLS and RFC 2817?

@bagder
Copy link

bagder commented Mar 12, 2014

@mcilvena take it to the mailing list? RFC2817 is quite different than the current Alt-Svc proposal. See http://tools.ietf.org/html/draft-nottingham-httpbis-alt-svc-03

@mnot mnot removed this from the Fourth Implementation Draft milestone Mar 27, 2014
@martinthomson
Copy link
Collaborator

https://tools.ietf.org/html/draft-nottingham-http2-encryption-03 is the latest proposal in this regard.

@mnot
Copy link
Member Author

mnot commented Jun 6, 2014

Discussed in NYC; agreed to adopt as WG Experimental. Martin to edit.

@mnot mnot closed this as completed Jun 6, 2014
@mnot mnot added the writeup label Dec 4, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
design security writeup
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@martinthomson @mnot @bagder @mcilvena @paulehoffman @enygren