Slashdot Mirror
PHK: HTTP 2.0 Should Be Scrapped
Via the HTTP working group list comes a post from Poul-Henning Kamp proposing that HTTP 2.0 (as it exists now) never be released after the plan of adopting Google's SPDY protocol with minor changes revealed flaws that SPDY/HTTP 2.0 will not address. Quoting: "The WG took the prototype SPDY was, before even completing its
previous assignment, and wasted a lot of time and effort trying to
goldplate over the warts and mistakes in it.
And rather than 'ohh, we get HTTP/2.0 almost for free', we found
out that there are numerous hard problems that SPDY doesn't even
get close to solving, and that we will need to make some simplifications
in the evolved HTTP concept if we ever want to solve them. ...
Wouldn't we get a better result from taking a much deeper look
at the current cryptographic and privacy situation, rather than
publish a protocol with a cryptographic band-aid which doesn't solve
the problems and gets in the way in many applications ? ...
Isn't publishing HTTP/2.0 as a 'place-holder' is just a waste of
everybody's time, and a needless code churn, leading to increased
risk of security exposures and failure for no significant gains ?"
I hope that whatever HTTP2.0 ends up being enforces encryption by default.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Why HTTP/2.0 does not seem interesting
...the entire idea is to cripple security and the ability to provide for privacy. In the end, National Security agencies take the view that digital networks are a primary source of intelligence. Thus, being able to bug and break into systems is a national security priority. The group are dominated by companies that rely on government contracts, so they do their bidding and weaken the specs.
Ultimately, you live in an Oligarchy, not a democracy, so no one cares about your opinion or that of anyone else, unless you happen to have lots of cash. If you did have lots of cash, then you too would be trying to undermine security and privacy to ensure no one takes it from you.
Deal with it.
Dang, I'm sad Linus Torvalds, John Carmack, et. al. are "too self important" because someone else made a wikipedia page about them. Or maybe programming, especially concerning the next standard for what most of the internet would ideally run, is too important for fucking hipsters to get involved.
There is also the other thing that there is no urgent need to replace HTTP/1.1, despite of what people claim. Sure, it has problems, but the applications it does not support so well are things that there is not urgent need for, hence there is no urgent need for a protocol replacement. It would be far better to carefully consider what to put into the successor and what not. And KISS should the the overriding concern, anything else causes a lot more problems and wastes a lot more resources than having the successor a few years later.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
And why shouldn't have a moratorium and review ESPECIALLY in regards to what has come to light about how fucked the internet is in just the last year?
Why proceed blindly with a protocol that comes from Google, who gladly works hand in hand with the NSA and is a Corporation whose core focus to track and monitor every single person and thing online?
What? Just proceed with something that addresses NONE of the present mass surveillance issues, and possibly could make us less secure than we are now just because we don't have a fall back lined up?
Or how about we take this time to step back and reevaluate what HTTP2.0 needs to be -- such as changing to a focus on security and privacy.
can we scrap ipv6 yet ? the most unintuitive address system invented so far
Isn't publishing HTTP/2.0 as a 'place-holder' is just a waste of everybody's time, and a needless code churn, leading to increased risk of security exposures and failure for no significant gains ?
Not to mention, who gets control of it and passes ouit all the back doors.
This guy has never heard of version numbers or something? He thinks it's a better idea to design something that is perfect instead of using something that is useful for what it's designed for but less than ideal for a small percentage of use cases.
I don't think HTTP has any problems with security. All the real world problems with HTTP security are caused by:
* dismally slow roll out of dnssec. It should have been finished years ago, but it has barely even started.
* the high price of acquiring an SSL certificate (it's just bits!).
* slow rollout of IPv6 (SSL certificates generally require a unique IP and we don't have enough to give every domain name a unique IP).
* arguments in the industry about how to revoke a compromised SSL certificate, which has lead to revocation being almost useless.
* SSL doesn't really work when there are thousands of certificate authorities, so some changes are needed to cope with the current situation (eg: dsnssec could be used to prevent two certificate authorities from signing the same domain name)
HTTP/1.1 is roughly seventeen years old now - technically HTTP/1.0 came out seven years before that, but in terms of mass adoption, NSFNet fizzled in '94 and then people really started to pay attention to the web - I had my first webpage about six months before that (at College) and there were maybe a dozen in the whole school who had heard of it previously. Argue for seven years if you'd like, but I'll say that HTTP/1.0 got seriously revised after three years of significant broad usage. SSLv3, still considered almost usable today, was released the year before. TLSv1.2, considered good, has been a standard for over five years and still it's poorly supported though now critically necessary for some security surfaces.
After this burst of innovation, somebody dreamt up the W3C and we got various levels of baroque standards, all while everybody else solved the same problems over and over again. IETF used to be pretty efficient, but it seems like they're at the same point now.
I won't argue for SPDY becoming HTTP/2.0 but I will admire it as an effort to freaking do something. Some guys at Google said, "look, screw you guys, we're going to try to fix this mess," and they did something. While imperfect, they still did enough that the HTTP/2.0 committee looked at it and said (paraphrasing), "hrm, since we haven't done anything useful for 15 years, let's take SPDY and tweak it and call it a day's work well done."
The part Google got most right was the "screw you guys" part - central-planning the web is not working.. I'm not positive what the right organization structure looks like, but it's not W3C and IETF. We need to figure out what went right back in the mid 90's and do that again, but now with more experience under our belts. This talk of "one protocol to rule them all for 20 years" is undeniably a toxic approach. HTTP/1. 1 should have been deprecated by 2005 and we should be on to the third iteration beyond it by now. Yeah, more core stuff for the devs to do - used to be we had people who could start a company and write a whole new web browser in a year - half the time it takes to change the color of tabs these days.
And don't start with this "but this old browser on ... " crap either - we rapidly iterated before and can do it again. Are there people who fear change? Sure - and nobody is going to stop HTTP/1.1 from working 50 years from now, but by golly nobody should want to use it by then either.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Let's keep the crappy thing we have now and not deploy the less crappy thing we've already implemented so we can focus our effort on building something perfect from scratch. Good luck with that.
Yeah, what DOES he know? He's just the author of Varnish and a core FreeBSD developer, I bet you understand HTTP a lot more than he does.
It's better they chuck some of it and stick with a few good bits. The encryption can be trashed as far as I care; that can be another group's problem. We need proxy caching and you can't do it with encryption and be secure.
The reason we can't move like before isn't the committee, it's that we now have a global system built around it and a great deal of investment in it. In the 90s it was all new; low risk, low impact. Today, there is a vast territory claimed and set; when you make new things you can't destroy all you've gained and unless you have a killer app (like the web was) people will not be motivated to make drastic changes.
DNSSEC is a great example of not having much motivation to do the pain in the ass it creates; furthermore, it doesn't completely solve a problem we all are that worried about. They may have made it quickly but people are not using it. IPv6 is long past due and here we sit... (at least we don't have a huge movement of IPv4 deniers saying it's not full and if it is, it wasn't our fault.)
Democracy Now! - uncensored, anti-establishment news
The cost of SSL certificates is not in the bits. It's in the security of the private key, some validation in extended verification certs, and the administration work involved in signing your key with the CA's key. "It's just bits" is like looking at a computer chip and saying "it's just sand."
Please help metamoderate.
I think following demonstrates reality participants in standards organizations are constrained by the market and while they do yield some power it must be exercised with extreme care and creativity to have any effect past L7.
As much as many people would like to get rid of Cookies -- something
you've proposed many times -- doing it in this effort would be counter-productive.
Counter-productive for *who* Mark ?
Counter-productive for FaceBook, Google, Microsoft, NSA and the other mastodons who use cookies and other mistakes in HTTP
(ie: user-agent) to deconstruct our personal identities, across the entire web ?
Even with "SSL/TLS everywhere", all those small blue 'f' icons will still tell FaceBook all about what websites you have visited.
The "don't track" fiasco has shown conclusively, that there is never going to be a good-faith attempt by these mastodons to improve personal privacy: It's against their business model.
And because this WG is 100% beholden to the privacy abusers and gives not a single shit for the privacy abused, fixing the problems would be "counter-productive".
If we cared about human rights, and privacy, being "counter-productive" for the privacy-abusing mastodons would be one of our primary goals.
It is impossible for me to disagree with this. Have several dozen tracking/market intelligence/stat gathering firms blackholed in DNS where creative use of DNS to implement tracking cookies do not work. I count on the fact they are all much too lazy to care about a few people screwing with DNS or operating browser privacy plugins.
I'm personally creeped out by hoards of stalkers following me everywhere I go...yet I see the same mistakes play out again and again... people looking to solve problems without consideration of second order effects of their solutions.
You could technically do something about those army of stalker creeps ... yet this may just force them underground, pulling same data thru backchannels established directly with site - rather than a cut and paste javascript job it would likely turn into module loaded into backend stack with no visibility to the end user or ability to control.
While this would certainly work wonders for site performance and bandwidth usage... those limited feedback channels we did have for the stalked to watch the stalker are denied. On flipside of the ledger not collecting direct proof of access could disrupt some stalker creeps business models.
I think emotional half-assed reaction to NSA with established ability to "QUANTUM INSERT" ultimately encourages locally optimal solution having effect of affording no actual safety or privacy to anyone.
Not only does opportunistic encryption provide a false sense of security to the vast majority of people who simply do not understand relationship between encryption and trust such deceptions effectively work to relieve pressure on need for a real solution.. which I assume looks more like DANE and associated implosion of SSL CA market.
My own opinion HTTP 2.0 is only a marginal improvement with no particular pressing need... I think they should think hard and add something cool to it.. make me want to care...as is I'm not impressed.
How "fucked" is the internet, exactly?
It's acquiring new users at an astonishing rate - on average, over ten million people per day. Number of searches, online spending, advertising profits - these metrics are increasing at a compound rate of double-digit percent. More industries should be so fucked.
There's a problem with spying and privacy? Duh, and how much is that worth at the bottom line? Hasn't stopped the growth, hasn't even dented it so's you'd notice. Ask Google.
The internet isn't fucked. Its users may be - particularly those who wanted it to remain a free, anarchic playground - but the internet itself is thriving beyond any reasonable expectation.
However, much of the time your main concern is that the certificate isn't an MiTM, and that you are talking to the same person or entity you were talking to previously.
That's called the "key continuity management" paradigm. But KCM breaks down if the first time you talk to someone happens to be through a man in the middle. If your Internet connection is through a MITM proxy, as seen in bug 460374 and in many corporate networks, then "the same person or entity you were talking to previously" would be the MITM. For this reason, even though SSH is most often used in KCM mode, the "Please answer yes or no" prompt urges the user to confirm the server's key fingerprint out of band.
Or just run your own CA and install its root certificate on the devices on your private network.
If you're behind a firewall that shunts all traffic to a proxy that allows only outgoing HTTP connections, then HTTP is The Internet.
For many use cases, the ability to support 30,000 concurrent HTTP connections with a single VM outweighs the value proposition of encrypting the content in transit, especially for cases where the content in transit isn't remotely sensitive in nature.
It isn't necessarily that the work that you're trying to serve is "remotely sensitive in nature". It's that other parts of the same page may be "sensitive in nature", and browsers throw up pop-up windows about "mixed content" when a secure document transcludes an insecure resource. For example, the logged-in user's session cookie is "sensitive in nature" because an attacker can view it and replay it to impersonate the user. But because ad networks have a history of not supporting HTTPS, many sites have had to remain vulnerable to Firesheep in order to serve ads to logged-in users. (Only in September of last year did Google's AdSense add HTTPS support.)
From the "development" trees in Chrome, to WebRT and WebM, they have splintered the internet numerous times with no advantage to the greater good.
VP8 is a royalty-free video codec whose rate/distortion performance is in the same league as the royalty-bearing MPEG-4 AVC. WebM is VP8 video and Vorbis audio in a Matroska container. Did Xiph likewise "splinter[] the Internet" by introducing Vorbis as a royalty-free competitor to the royalty-bearing MP3 and AAC audio codecs? If so, how? If not, then how did Google's On2 division "splinter[] the Internet" by introducing WebM as a competitor to MPEG-4?
The biggest problem with SPDY is that it's a protocol by Google, for Google. Unless you are doing the same as Google, you won't benefit from it. In my free time, I'm writing an open source webserver and by doing so, I've encountered several bad things in the HTTP and CGI standard. Things can be made really more easy and thus faster if we, for example, agree to let go of this rediculous pathinfo, agree that requests within the same connection are always for the same host and make the CGI headers work better with HTTP.
You want things to be faster? Start by making things more simple. Just take a look at all the modules for Apache. The amount of crap many web developers want to put into their website can't be fixed by a new HTTP protocol.
We don't need HTTP/2.0. HTTP/1.3 with some things removed, fixed or at least have some vague things be specified more clearly, would be more than enough for 95% of all the websites.
It doesn't have to be like this. All we need to do is make sure we keep talking.
Ah, the irony of using "security and privacy" to argue in favour of old unencrypted HTTP/1.1 and against always-encrypted SPDY (which HTTP/2.0 is based on).
There's a hidden treasure in Python 3.x: __prepare__()
What I would like to see, is to scrap the whole HTML since HTML 1.0 and get back to basic text-only sites in most parts without most fanciest CSS/JS/PHP etc scripting.
Add just the basic features like what is the font and its style (bold, underline, color) and basic formatting (alignment, width, space between lines and paragraphs) and then way to get few pictures between or side of the text.
And every URL would need to be in the text itself and no image or specific area can be used to trigger anything or as URL.
Basically more like what Wikipedia is today, in more simpler manner even from it.
Then the commenting should be moved back behind NNTP.
There is nothing wrong with HTTP itself, but the pages sizes, elements etc are just blowed out to proportions where sites don't anymore serve the original idea of the WWW and purpose of the Internet.
Maybe if we weren't trying to tunnel every god damned protocol and transport known to mankind through HTTP it wouldn't be such a massive problem to re-engineer and fix.
Seriously: The idea of TCP was to have multiple protocol ports, not to tunnel everything over :80.
I do not fail; I succeed at finding out what does not work.
Those certainly are plausible (and unfortunately common) issues. That's why I was thinking of the "you want to make sure that you aren't suddenly being fed a different certificate than people in other parts of the world, or on different ISPs" consideration. Annoyingly, that's the one that would require some sort of distributed observation system that you could talk to, rather than being comparatively trivial to do in software on your own system (as of right now, browsers don't usually provide a handy 'remember this domain's certificate and freak out?' button; but that's extension-level stuff to add). The thinking being that, short of the MiTM either compromising the observation system, or controlling so much of the network that their certificate looks like the trustworthy one, it would be impossible for a given attacker to present a false certificate to a numerous people in different parts of the world and connected to different parts of the internet.
Of course, the details of how to actually implement such a system, along with actually doing so, are a great deal trickier than just checking key continuity on the client...
Not everything served over HTTP served to a "web browser", nor is every payload a "page". Machine-to-machine communications, digitally-signed XML, single-user personal area networks, all come to mind.
With certs you also want to have the property that everyone sees the same. The Bitcoin blockchain solves a similar problem: to prevent double spend the blockchain has to be the same for all parties. There is even a project trying to achieve that with the blockchain: Namecoin.
The disadvantage is that clients either have to download the whole blockchain and ask as many parties as possible whether there were any updates, to be sure they have the longest branch of the blockchain, or they have to trust some server that has done that for them.
HTTP is a transport spec, not an encryption spec. Mixing the two will only lead to trouble.
This guy has never heard of version numbers or something? He thinks it's a better idea to design something that is perfect instead of using something that is useful for what it's designed for but less than ideal for a small percentage of use cases.
The problem is that when you write a new HTTP standard, that now becomes permanent. Just because HTTP 1.1 came out, that doesn't mean that you can simply abandon all HTTP 1.0 code. HTTP 1.0 code now lives on in perpetuity because it was an official standard, and there are still servers out there using it. Likewise, if we throw 2.0 out there with reckless abandon, we must now support 2.0 for all of eternity, no matter how flawed it may be.
The goal should be to get it right, not to throw new versions out every couple of months.
The very fact that they introduced another video codec, when they knew h264 was the dominant one, is proof enough.
"The very fact that Google introduced another touch-screen smartphone operating system, when they knew iOS was the dominant one, is proof enough."
After all they said "ah, but we'll stop using h264 in a while and remove it from Chrome" to placate those concerns, only to reneg on that idea and leave TWO codecs in Chrome, forcing others to scramble and implement h264 support.
You have one codec for people who also plan to serve to iOS and Flash Player (namely H.264) and one codec for people who plan to avoid paying royalties to MPEG-LA (namely VP8). It's the same reason that browsers added PNG alongside GIF: to allow webmasters to avoid paying royalties to Unisys.
So you aren't on one. I'm not on one. But you find it relevant?
I do, and so would anyone who appreciates Martin Niemöller's reasoning might:
First they came for the Communists, and never having voted for a Communist candidate, I STFU.
Then they came for people behind work, school, or public library proxies, and not being currently behind such a proxy, I STFU.
Then they came for members of the Jewish faith, and not being Jewish, I STFU.
And then they came for me.
The committee member is simply pointing out that new standards that do not provide any new functionality do not get used, while standards that provide something useful get adopted much quicker. He also points out useful things that the new standard could/should address but isn't.
You make it sound like this guy is just throwing a hissy fit which is just bad form.
That's why I was thinking of the "you want to make sure that you aren't suddenly being fed a different certificate than people in other parts of the world, or on different ISPs" consideration. Annoyingly, that's the one that would require some sort of distributed observation system that you could talk to
I use a Firefox extension that does this, called Perspectives. The biggest hole in Perspectives is when the MITM is on the server's only upstream connection.
as of right now, browsers don't usually provide a handy 'remember this domain's certificate and freak out?' button; but that's extension-level stuff to add
Yes they do. If I visit an HTTPS site whose certificate doesn't chain to a trusted root CA, the browser gives me a warning, and I can remember the certificate. Perhaps the fear is that if browser makers improve the KCM user experience, people trying to visit a financial site (Chase, Ally, PayPal, etc.) might get suckered into using the KCM flow.
What makes encryption with no authentication worse than plaintext?
It makes man in the middle attacks trivially possible and thus rendering the encryption useless.
This applies equally to plaintext and to encryption with no authentication. So what makes plaintext better?
Google, who gladly works hand in hand with the NSA
I have to call bullshit on this rather common but unsupported and unsupportable claim.
There is no evidence that Google had cooperated with the NSA in any way other than actually required by law, and there they claim to be sticklers in demanding that the government dot the i's and cross the t's, including refusing any requests that are overly broad. We can't see what they actually do, of course, because the law makes it illegal for them to say... however Google was the company that first started publishing transparency reports and took the initiative to negotiate permission to publish aggregate statistics about the requests they're legally prevented from publishing. Those published numbers make it clear that Google is not providing information about large numbers of users.
There is evidence that the NSA had an extensive operation in place tapping Google's internal network. When this was revealed, Google immediately accelerated plans to encrypt all of those links to foil the snooping.
Beyond that, look at Google's Internet security track record. Google was the first major webmail provider to switch to HTTPS. Google is still the only major web search engine that requires HTTPS. For logged-in uses, all Google services are all-encrypted, all the time, and for most services even users that aren't logged in get HTTPS by default. Yes, Google designed SPDY, and designed it without an unencrypted mode. The HTTP/2 committee may have added support for unencrypted operation, but Google didn't design it in. Google's next-gen protocol, QUIC, not only doesn't have an unencrypted mode, security is baked so deeply into it that it's basically impossible to remove or disable.
FWIW, I'm a Google engineer, and until recently my job was to work on part of the internal communications security infrastructure. It's vanishingly unlikely that Google could have had any kind of sanctioned NSA tap in place without it being visible to me, and I saw no hint of any such thing.
I happen to personally know several of the people involved with SPDY and there's no way any of them would be party to any attempt to deliberately weaken the protocol.
Beyond that, I can tell you that the internal response to the Snowden revelations about NSA access into Google was one of fury, and a deep and abiding commitment to make sure it can't happen again. Google wants to ensure that the only way the government can get data about Google's users is to come in through the front door, with appropriate court documentation.
[Google] is a Corporation whose core focus to track and monitor every single person and thing online?
This is also simply untrue. Google's core focus is in its mission statement, which you can search for. 90% of its revenue comes from targeted advertising, and Google does collect information to do that ad targeting... but only with user approval. If you don't want Google to track you, Google provides tools you can use to ensure you're not tracked. In the process you'll have to give up some (not all, but some) use of Google's services, because the targeted advertising is the fee you pay for those services. Google hopes you'll like that deal and be happy with it. But if you're not, Google wants to ensure you can opt out. See http://google.com/privacy/tool...
(Disclaimer: The above is not an official company statement. In fact, company policy encourages me not to make it (though policy doesn't prohibit me). It is, however, my firm personal view.)
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
When a web page is slow to load, it is often because of all the data that must be loaded from 3rd-party sites - Google Analytics is one of the worst, but there is also Facebook, Twitter, etc (probably for 3rd-party logins). SPDY is not going to fix that. If Google wants to speed up the web, it should start by reducing the latency of its own services.
Blast. Out of mod points. But parent is one of the more insightful and balanced posts I've read on here in quite a while.
PNG was created for the greater good by committee and approved as a standard by the IETF, so no, it is nothing like WebM.
PNG was designed as patent free so there was never any treat of being sued if you used it.
Meanwhile, Google holds all of the patents for WebM and WebRTC. They have not released them to the public domain, so it is a power play and not a standard meant to improve the overall situation.
There is a huge difference between "royalty free" and "patent free". The former just means the guy with the club isn't demanding a toll today, while the latter means no one will ever get clubbed period.
Google holds all of the patents for WebM and WebRTC. They have not released them to the public domain
Nor is Linux "released [...] to the public domain". It is copyrighted and distributed under GPLv2, a member of a class of copyright licenses known as "copyleft". What objection do you have to the way Google licenses its WebM-related patents?
If you don't want Google to track you, Google provides tools you can use to ensure you're not tracked. In the process you'll have to give up some (not all, but some) use of Google's services, because the targeted advertising is the fee you pay for those services.
Ob "trading up privacy for services": http://www.smbc-comics.com/?id... ;-)
Can't argue with that. It is an issue. OTOH, I think social media is a much more serious issue in that respect than targeted advertising.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Yes, but they had to actually exist and actually be persecuted for your analogy to work.
We already agreed that they "actually exist". I used to attend such a school, and you used to work for such an employer. If non-HTTP protocols were more widely deployed, then yes, people behind HTTP-only proxies would "actually be persecuted".
Mattered more before I could get The Internet on my phone, easily bypassing any proxy in place.
So your answer is to add a recurring fee, payable to a cellular carrier, of an estimated $500 per person per year plus $10 per GB overages. Besides, all it buys you is non-HTTP outgoing connections because cellular ISPs deploy carrier-grade NAT and thus their subscribers can't receive incoming connections.
glad i clicked on the headline and read the summary. i was thinking PHK stood for 'Pointy Haired Kaiser'