Note, I'm replying on users_at_servlet-spec.java.net because we don't have
a new jsrxxx-experts list yet and until we do I want everyone to be able
to reply.
First, thanks for following the issue closely. As far as I know, you
are the only likely Servlet 4.0 EG member who is actually on the httpbis
working group, so your experience there, and in implementing http2 and
ALPN in Jetty will be very valuable to everyone in Servlet-land.
>>>>> On Thu, 24 Jul 2014 15:07:44 +1000, Greg Wilkins <gregw_at_intalio.com> said:
GW> On 24 July 2014 07:10, Ed Burns (JIRA) <jira-no-reply_at_java.net> wrote:
GW> Ed Burns created SERVLET_SPEC-95:
GW> ------------------------------
>>
>> ------
>>
>> Summary: Require that TLS is supported
GW> Ed et al,
GW> I'm very much against this. While I don't dispute the premise that
GW> "Pervasive Monitoring Is an Attack", I don't believe that https is a
GW> solution that comes anywhere near close enough to solve that issue.
I'll defer to the decision of httpbis WG on this one. My sources are
telling me that if httpbis doesn't make TLS the default, it won't be
approved by IETF. I'm inclined to take the position of, "if it's good
enough for IETF, it's good enough for Servlet".
GW> https does not hide who you are talking to, when you talk to them or even
GW> how much you talk and in what size chunks. So pretty much all of your
GW> meta data is available to those monitoring you. By examining public
GW> websites you visit, the monitor can use size and sequence information to
GW> work out what pages you have visited. Worse yet, because of things like
GW>
http://en.wikipedia.org/wiki/CRIME it is often possible for even the
GW> content to be cracked. CRIME came about because compressed data that had
GW> never been considered for security was put over TLS.
GW> TLS is simply insufficient to provide any level of protection from
GW> monitoring and it actually makes things worse to pretend that it does.
This is a great point.
GW> Traffic carried by TLS needs to be carefully considered so that it is
GW> protected from CRIME like attacks. The more data sent over TLS that an
GW> attacker can control makes CRIME-like vulnerabilities worse, so forcing non
GW> secure traffic to TLS will reduce the protection available to important
GW> data.
Getting more specific, back to the spec text:
Section_1.2> All servlet containers must support HTTP as a protocol for
Section_1.2> requests and responses, but additional
Section_1.2> request/response-based protocols such as HTTPS (HTTP over
Section_1.2> SSL) may be supported.
Greg, for now, can you support changing the text to read:
Section_1.2> All servlet containers must support HTTP and HTTPS (HTTP
Section_1.2> over SSL) as a protocol for requests and responses.
When httpbis WG delivers their final verdict on the requirement of TLS,
we will revisit this text.
Ed
--
| edward.burns_at_oracle.com | office: +1 407 458 0017
| 38 work days til JavaOne 2014