Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Networking The Internet

PHK: HTTP 2.0 Should Be Scrapped 220

Via the HTTP working group list comes a post from Poul-Henning Kamp proposing that HTTP 2.0 (as it exists now) never be released after the plan of adopting Google's SPDY protocol with minor changes revealed flaws that SPDY/HTTP 2.0 will not address. Quoting: "The WG took the prototype SPDY was, before even completing its previous assignment, and wasted a lot of time and effort trying to goldplate over the warts and mistakes in it. And rather than 'ohh, we get HTTP/2.0 almost for free', we found out that there are numerous hard problems that SPDY doesn't even get close to solving, and that we will need to make some simplifications in the evolved HTTP concept if we ever want to solve them. ... Wouldn't we get a better result from taking a much deeper look at the current cryptographic and privacy situation, rather than publish a protocol with a cryptographic band-aid which doesn't solve the problems and gets in the way in many applications ? ... Isn't publishing HTTP/2.0 as a 'place-holder' is just a waste of everybody's time, and a needless code churn, leading to increased risk of security exposures and failure for no significant gains ?"
This discussion has been archived. No new comments can be posted.

PHK: HTTP 2.0 Should Be Scrapped

Comments Filter:
  • by Anonymous Coward on Monday May 26, 2014 @08:32PM (#47096015)
  • Re:Encryption (Score:5, Interesting)

    by Anonymous Coward on Monday May 26, 2014 @08:36PM (#47096035)

    No, you really don't. Encryption is good for Facebook, but enforcing it for your Internet-of-Everything lightbulb or temperature probe in the basement gains nothing other than more complex bugs and lower battery life.

  • by Anonymous Coward on Monday May 26, 2014 @08:40PM (#47096061)

    ...the entire idea is to cripple security and the ability to provide for privacy. In the end, National Security agencies take the view that digital networks are a primary source of intelligence. Thus, being able to bug and break into systems is a national security priority. The group are dominated by companies that rely on government contracts, so they do their bidding and weaken the specs.

    Ultimately, you live in an Oligarchy, not a democracy, so no one cares about your opinion or that of anyone else, unless you happen to have lots of cash. If you did have lots of cash, then you too would be trying to undermine security and privacy to ensure no one takes it from you.

    Deal with it.

  • Convincing (Score:5, Interesting)

    by gweihir ( 88907 ) on Monday May 26, 2014 @08:54PM (#47096137)

    There is also the other thing that there is no urgent need to replace HTTP/1.1, despite of what people claim. Sure, it has problems, but the applications it does not support so well are things that there is not urgent need for, hence there is no urgent need for a protocol replacement. It would be far better to carefully consider what to put into the successor and what not. And KISS should the the overriding concern, anything else causes a lot more problems and wastes a lot more resources than having the successor a few years later.

  • by MassacrE ( 763 ) on Monday May 26, 2014 @09:51PM (#47096419)

    It is a technical discussion. Unless you are prepared to provide feedback on how to make a more private/anonymous protocol which can serve as a drop-in replacement for HTTP 1.1, "normal users" will just serve as background noise.

    PHK's biggest issue IMHO is that HTTP/2 will break his software (Varnish), by requiring things his internal architecture can't really deal with (TLS).

  • Re:Encryption (Score:2, Interesting)

    by WaffleMonster ( 969671 ) on Tuesday May 27, 2014 @12:34AM (#47097147)

    Nothing is NSA-proof,

    NSA proof is possible unless NSA includes goons armed with $5 wrenches.

    The whole point here is not to make the system undefeatable, just to increase the cost of breaking it, just like your door lock isn't perfect, but still useful.

    If you can't view traffic then traffic is safe from you therefore it is not necessary to encrypt traffic.

    If you can view traffic then you have everything necessary to own that traffic.. TCP initial sequence number and fast pipe is all you need... nobody is doing any of the filtering necessary to prevent source address spoofing so these attacks are trivial.

    If your data is going through a "great firewall", CGN (everyone using a cellular network) or other bump in the wire there is no reason not to expect opportunistic encryption to be MITMd in realtime and in bulk.

    it would require the NSA to man-in-the-middle every single connection if it wants to keep its pervasive monitoring.

    So everyone in US is safe from NSA bulk collection of websites they visit except bulk collection of IP layer headers, certificate identities sent in the clear during TLS handshake and the zillions of US corporations engaged in cross site stalking compelled to hand over "any tangible thing".

    What is the opportunity cost of an encryption solution which solves nothing? What resources and demand are no longer available to be applied to a solution with teeth?

    How do you explain to the user well their data might be encrypted yet their data is not protected since it is not trusted? I can see the eyes rolling and roar of millions of swooshes... All people know is "encrypted" and this means "safe" ... I see nothing good coming from introduction of this technical doublespeak.

    Does HTTP 2.0 implement any latching or fingerprinting that could be useful to retroactively detect compromise of security? Do they even try?

  • Re:Run your own CA (Score:3, Interesting)

    by gmhowell ( 26755 ) <gmhowell@gmail.com> on Tuesday May 27, 2014 @01:17AM (#47097299) Homepage Journal

    Reasonable idea, but I suspect GE, Samsung, Whirlpool, and all the other manufacturers of Internet connected widgets will force you to buy a certificate from their app store. Hacking your light bulb to install your own certificate will be a federal crime, punishable by PMITA prison or worse.

Reactor error - core dumped!