Comment by superkuh
9 days ago
> If we want a secure web, HTTP/1.1 must die.
Yes, the corporations and insitutions and their economic transactions must be the highest and only priority. I hear that a lot from commercial people with commercial blinders on.
They simply cannot see beyond their context and realize the web, http/1.1 is used by human people that don't have the same use cases or incredibly stringent identity verification needs. Human use cases don't matter to them because they are not profitable.
Also, this "attack" only works on commercial style complex CDN setups. It wouldn't effect human hosted webservers at all. So yeah, commercial companies, abandon HTTP, go to your HTTP/3 with all it's UDP only and CA TLS only and no self signing and no clear text. And leave the actual web on HTTP/1.1 HTTP+HTTPS alone.
> Also, this "attack" only works on commercial style complex CDN setups. It wouldn't effect human hosted webservers at all.
All you need is a faulty caching proxy in front of your PHP server. Or maybe that nice anti-bot protection layer.
It really, really is easy to get bitten by this.
The author is only arguing against HTTP/1.1 for use between proxies and backends. Explicitly so:
> Note that disabling HTTP/1 between the browser and the front-end is not required
The fact that this is a footnote at the end of a long article is a rather significant problem with the article.
It requires rather careful reading to understand that. Most of the site sounds like they want to eliminate HTTP/1.1 wholesale.
Yes!
Let's get real, online security is mostly a commercial thing. Why do you think Google pushed so hard for HTTPS? Do you really think it is to protect your political opinions? No one cares about them, but a lot of people care about your credit card.
That's something I disagree with the people who made Gemini, a "small web" protocol for people who want to escape the modern web with its ads, tracking and bloat. They made TLS a requirement. Personally, I would have banned encryption. There is a cost, but it is a good way to keep commercial activity out.
I am not saying that the commercial web is bad, it may be the best thing that happened in the 21th century so far, but if you want to escape from it for a bit, I'd say plain HTTP is the way to go.
Note: of course if you need encryption and security in general for non commercial reason, use it, and be glad for the commercial web for helping you with that.