|implement RFC 2817: Upgrading to TLS Within HTTP/1.1|
|Reported by mal.chro...@gmail.com, Nov 18 2008||Back to list|
Nov 19 2008,
I believe that Firefox doesn't support RFC 2817. Here is an old discussion on it in Mozilla's crypto newsgroup: http://markmail.org/message/hwq3xqgsordlkgd3#query:+page:1+mid:kzryai3kimkvd62h+state :results
Nov 19 2008,
I believe that the benefit is small. We should implement SNI and FastTrack before this, if we haven't already (I've not tested).  http://www.ietf.org/rfc/rfc3546.txt (section 3.1)  http://citeseer.ist.psu.edu/old/shacham02fasttrack.html
Dec 10 2008,
Dec 17 2009,
Replacing labels: Area-BrowserBackend by Area-Internals
Sep 2 2010,
This bug deserves looking at again. Even if RFC2817 itself isn't supported we should at least have some heuristics for trying HTTPS after receiving an HTTP status 426. It seems an overwhelming portion of the time simply trying again with TLS on port 443 will accomplish what the user intended.
Mar 18 2011,
[refiling of b/1491455] Chrome does not implement RFC 2817 http://www.ietf.org/rfc/rfc2817.txt ------------------------------------------ That's all that's in the internal bug. I don't know if other browsers support this, nor what the benefits would be.
Mar 9 2013,
Mar 10 2013,
Nov 7 2013,
I'd like to see RFC 2817 revisited; it turns out to be the only solution the Internet has for opportunistic encryption of HTTP - that is, given an arbitrary "http" scheme URI, being able to fetch that over TLS. This seems to be of some importance given the impact of pervasive surveillance - see the IETF's recent Technical Plenary and the perpass BOF, and also the current thread (mentioning this RFC, indeed) on the email@example.com mailing list.
Apr 28 2015,
Jun 30 2016,
This issue has been available for more than 365 days, and should be re-evaluated. Hotlist-Recharge-Cold label is added for tracking. Please re-triage this issue. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Think we're safe closing this - no plans to implement it. It's better for sites to be HTTPS-only, rather than implementing this sort of opportunistic upgrade.
|► Sign in to add a comment|