On Fri, May 3, 2013 at 3:33 PM, Wes Felter <wmf@felter.org> wrote:
On 5/3/13 2:06 PM, Jay Ashworth wrote:
It occurs to me that I don't believe I've seen any discussion of the Unexpected Consequence of pervasive HTTPS replacing HTTP for unauthenticated sessions, like non-logged-in users browsing sites like Wikipedia.
That traffic's not cacheable, is it?
This has been discussed over the last year in the IETF HTTP WG in the context of SPDY and HTTP 2.0. Today this traffic is not cacheable. Some people are proposing to have a mode that is end-to-end secure and shows the lock icon in the browser and a different mode that uses SSL to the cache and SSL from the cache to the origin and doesn't show a lock. For networks that have traffic inspection "requirements" (e.g. education/enterprise) there has also been discussion about a signaling protocol for the network to indicate to browsers that all non-proxied traffic will be dropped. Transparent proxies are evil and one of the goals of HTTP 2.0 is to make proxies visible to the browser/user so they can choose whether to consent to having their traffic proxied.
-- Wes Felter
Thanks for the summary, Wes. If operators have thoughts on this issue, there is still discussion going on about HTTP/2.0. As Wes notes, HTTP/2.0 is going to have a strong emphasis on TLS, as with SPDY. Please send comments to the WG mailing list: <http://tools.ietf.org/wg/httpbis> <http://lists.w3.org/Archives/Public/ietf-http-wg/> Cheers, --Richard