On Mon, 15 Sep 2014, Henri Sivonen wrote:
What the Chrome folks suggest for HTTP/2 would give rise to a situation where your alternatives are still one one hand unencrypted and unauthenticated and on the other hand encrypted and authenticated *but* the latter is *faster*.
You mess up that reversal of the speed argument if you let unauthenticated be as fast as authenticated.
In my view that is a very depressing argument. That's favouring *not* improving something just to make sure the other option runs faster in comparision. Shouldn't we strive to make the user experience better for all users, even those accessing HTTP sites?
In a world with millions and billions of printers, fridges, TVs, settop boxes, elevators, nannycams or whatever all using embedded web servers - the amount of certificate handling for all those devices to run and use fully authenticated HTTPS is enough to prevent a large amount of those to just not go there. With opp-sec we could still up the level and make pervasive monitoring of a lot of such network connections much more expensive.
-- / daniel.haxx.se _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
