Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

which is to be expected with a TLS connection. OTOH you get to drop all the extra TCP handshakes, you get better congestion control, you get header compression, and that encrypted connection is often a really good thing.

http://bitsup.blogspot.com/2011/09/spdy-what-i-like-about-yo...

But yes, there remains no silver bullet, and you'll have to pick the right tool for the job.



Forcing the use of TLS for SPDY seems to have been intentionally crippling.


Why should a new protocol offer the option to operate insecurely?

Nothing stops a proxy from handling SPDY, if the client trusts it to do so and doesn't mind getting MITMed.


Transparent caching is part of what makes http so great. Security is relative, you can authenticate content without encrypting it, if there is nothing sensitive about the content.

The authentication can happen external to the http or spdy transaction as well.


> you can authenticate content without encrypting it

True, but insecure HTTP provides neither authentication nor encryption.

> if there is nothing sensitive about the content.

Encrypting only sensitive content leaks information to observers and attackers, namely when you transmit sensitive content, and which servers you connect to when you do so. Encrypting all content eliminates that information leak.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: