Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

HTTP2 doesn't require encryption but it does compress the headers. I'm guessing compression makes it too CPU-intensive for telecoms to manipulate the headers on the fly.


I wish they'd require encryption. Perhaps make http:// be TLS but without certificate verification.


This is in progress. HTTP 2.0 does exactly what you specify. The tcpinc working group at the IETF is also looking at adding this at a lower level for all TCP connections.


Uh, they removed the TLS requirement.


Then the telecoms would MITM it anyways.


Certificate pinning and web-of-trust verification would make that difficult to maintain for long.


It's unlikely they'll ever get mass usage because both are uncomfortable to work with.

If a certificate is compromised, changing it means all pinned clients will get a huge warning. Either the user ignores the warning (in which case pinning is useless) or he doesn't and the site is harmed. Keeping a compromised certificate is even worse.

For WoT you first need a web of trusted individuals.

Unfortunately key distribution over insecure channels is still an unsolved problem.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: