- From: Grahame Grieve <grahame@kestral.com.au>
- Date: 2012年7月18日 11:00:15 +1000
- To: Paul Hoffman <paul.hoffman@gmail.com>
- Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
- Message-ID: <CAG47hGaHaDsq5zpH5CT96hWYZZ1KatfRfu966eyPf4TyXFJMfA@mail.gmail.com>
> +1 to what seems to be a lot of developers: make TLS mandatory. > >> so, even when used in an internal application protocol, it's going to >> be end to end >> encrypted to make it super hard to debug? > > In an internal application protocol, why would it be "super hard to > debug"? The client can do an HTTP dump before TLS, the server can do > an HTTP dump after TLS; either of the sides could debug the TLS. yep. they can. But they have to. 3rd parties are shut out. I get that in some circumstances this is good. But not all. As an example, I spend quite a bit of my time looking at browser traffic now, to debug why my servers or clients aren't working they way that a 3rd party client/server set up is. Unless it's https, in which case.... I have to find some other way. >> http is about more than users using >> web browsers. > > Completely true, and not relevant. Insecure HTTP for non-browser > applications still has the same bad properties, no? but a much wider deployment context, and much harder to work with Grahame
Received on Wednesday, 18 July 2012 01:00:43 UTC