

Opportunistic Security for HTTP - evilpie
http://greenbytes.de/tech/webdav/draft-ietf-httpbis-http2-encryption-latest.html

======
cpeterso
Why can't Google our Mozilla start their own CA? Free certs for everyone!

~~~
tptacek
Because they would be sued by the huge companies that already run CAs.

~~~
yummyfajitas
Google can certainly afford to litigate, and it's unclear to me what they'd be
sued over in any case.

Could you explain this in more detail?

~~~
tptacek
Google: [vertical integration antitrust]. Bear in mind that the CAs are
organized and some are themselves owned by gigantic companies.

------
X-Istence
There needs to be better support for self-signed certificates, or at least a
CA that is free and doesn't have strings attached (looking at you StartSSL
with payment required to re-issue a cert).

I would love to have certificates for all of my domains, but it simply isn't
worth it to me for the 40 - 50 hits a month I get on those properties to pay
for a cert, or go through the hassle of StartSSL and worry about having to pay
if the next Heartbleed happens.

~~~
taralx
That's in this spec:

"The server certificate, if one is proffered by the alternative service, is
not necessarily checked for validity, expiration, issuance by a trusted
certificate authority or matched against the name in the URI."

In other words, the certificate presented is merely used to secure the
connection against a passive attacker.

