[HTTPS-Everywhere] HTTPS Everywhere for Chromium
Adam Langley
agl at imperialviolet.org
Fri Dec 3 07:48:08 PST 2010
On Wed, Dec 1, 2010 at 1:13 AM, Chris Palmer <chris at eff.org> wrote:
> Someday, Chrome will be trying SPDY first before HTTP and HTTPS, right? This protocol reboot is our chance to fix the default from "goaty" to "minimally safe". Is it a better use of our time to add SPDY support to as many servers and clients as we can, than to emulate HTTPS Everywhere in a Chrome that was not made to support it?
The SPDY upgrade problem is one that we have already addressed with
NPN[1] for HTTPS URLs. NPN works for any protocol which you care to
negotiate. SPDY has mechanisms for working with HTTP URLs as well
(and, via NPN, any protocol does). However I don't wish to discuss
them because if people prod at it, it'll add noise to our
measurements.
Since we can't break the world, any change is going to have to be
incremental. HTTPS Everywhere is actually solving a different problem:
how to do this without the site operators doing anything. Given the
size of the Internet, it's simply the case that 99%+ of sites will be
administered by lay-persons who don't have any incentive to upgrade in
the best interests of the network as a whole, don't know how to
upgrade even if they did and, ultimately, don't even know that there's
any reason to upgrade.
That's why we still have servers which don't even manage to implement SSLv3.
Protocol upgrade is a technical problem that we can solve. The social
issue is rather harder.
[1] http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00
Cheers
--
Adam Langley agl at imperialviolet.org http://www.imperialviolet.org
More information about the HTTPS-everywhere
mailing list