Hacker News new | past | comments | ask | show | jobs | submit login

> What about local development, where tools like tcpdump and wireshark are really handy?

You can tell browsers to dump the session keys, which then can be read by wireshark [1].

> What about devices that are power constrained?

That's thinking from 10 years ago. 10 years ago, there were no native AES extensions in power constrained devices. But now there are, so encryption is really power efficient.

> I am just spooked by tying a a text transfer protocol to a TCP system.

I guess instead of "TCP system" you meant transport layer protocol. I can actually understand your view: stuff is getting more complicated. I can fire up netcat, connecting to wikipedia, typing out a HTTP/1.0 request manually. With 1.1 this is hard and with 2.0 it's impossible due to TLS requirements. But there are reasons for this added complexity: you want to be able to re-use connections, or use something better than TCP. As long as there is a spec, and there are several implementations lying around, I think it's okay to add complexity if there is a performance reward for it. Most people care about the performance, who wants to fire up netcat to do a HTTP request.

[1]: https://jimshaver.net/2015/02/11/decrypting-tls-browser-traf...




Worth adding that when HTTP/3 arrives, HTTP/1 doesn't go away. I imagine that HTTP/1 will never go away exactly for the reasons why people like it.


To clarify, HTTP 1.0/1.1 were successfully transmitted over TCP, multiple versions of SSL, then several versions of TLS. Just seems a bit pretentious to be tying to TLS 1.3.


Those older SSL and TLS versions are insecure now or at least deemed a bad idea from today's security ideas. TLS 1.3 partly was about removing insecure modes from TLS 1.2. If HTTP/3.0 supported anything other than TLS 1.3, then those insecure setups would persist.

Of course there are disadvantages, like when you are in a lan or such. But I think those cases are covered well by the HTTP/1.x family already and if not you can always add root certificates yourself or make public DNS names you control point to your 192.168.... address.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: