Anyone know why this hasn't gained adoption? http://tools.ietf.org/html/rfc2817
I've been watching various efforts at widespread opportunistic encryption, like TCPINC and STARTTLS in SMTP. It's made me wonder why it isn't used for HTTP. Opportunistic encryption could be completely transparent. We don't need any external facing UI changes for users (although perhaps plaintext HTTP on port 80 could show a broken lock). Instead, if the server and client mutually support it, TLS with an unauthenticated key exchange is used. It seems most modern web browsers and web servers are built with TLS support. Why not always flip it on if it's available on both sides, even if it's trivially MitMed? -- Tony Arcieri
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography