

Why I don't like SPDY - slyall
https://www.varnish-software.com/blog/i_dont_like_spdy

======
ssoroka
Nothing is stopping browsers from supporting http 1.1 and SPDY at the same
time. SPDY doesnt "force" anyone to support it. You just sound like the anti-
change crowd to me. Irrelevant.

~~~
willvarfar
no no no - what we want is SPDY without encryption/signing.

[http://williamedwardscoder.tumblr.com/post/20125275380/why-p...](http://williamedwardscoder.tumblr.com/post/20125275380/why-
per-buer-varnish-cache-doesnt-like-spdy)

------
chc
For the few who can't just use StartSSL, couldn't you just use a self-signed
certificate? I mean, it's suboptimal, but it's a far cry from "no way," isn't
it?

~~~
papaf
It would be workable if browsers stopped loudly complaining about self-signed
certificates and gracefully fell back to using something like TOFU/POP [1] or
Convergence [2].

[1] [http://www.xmlgrrl.com/blog/2010/07/06/tofu-online-trust-
and...](http://www.xmlgrrl.com/blog/2010/07/06/tofu-online-trust-and-
spiritual-wisdom/) [2] <http://convergence.io/>

~~~
chc
Ah, true. I wonder if it wouldn't be best if, by default, browsers would only
complain when a site switched to an untrusted cert it hadn't used before (i.e.
if Facebook.com is suddenly self-signed, that's a problem, and if a site
switches from one self-signed cert to another, that's a problem as well). This
would prevent most MITMs while still making self-signed certs useable. A site
with a self-signed cert is better than one using no security at all, so it
shouldn't get more flack.

