Score:2

TLS/SSL on http (80) with STARTTLS

ng flag

I'm researching the reason why TLS/SSL is not using over HTTP. Other protocols, such as SMTP, POP3, FTP, etc can be used on SSL ports (SMTPS, POP3S, FTPS) for the first way, and the second way is to use STARTTLS option in the current port with the extension (SMTP example) There is a popular way to use the second way (STARTTLS) on email protocols, but why is http not using STARTTLS? I found RFC TLS within HTTP/1.1, but it is not using nowadays (or maybe i havent seen yet)

mforsetti avatar
tz flag
HTTP already have 3xx redirects to upgrade to HTTPS. Why would you add STARTTLS if you already have a convenient way to upgrade embedded in your protocol?
in flag
Starting with a plaintext protocol and then upgrade to TLS means there is plenty of time for attacking the connection. The smaller the attack surface the smaller chance for an successful attack. Therefore STARTTLS protocols are more and more replaced by real TLS protected connections.
Score:3
jp flag

One purpose of the Upgrade mechanism in RFC 2817 was the provide a virtual hosting mechanism for HTTP with TLS as the situation was back in 2000:

The Upgrade mechanism also solves the "virtual hosting" problem. Rather than allocating multiple IP addresses to a single host, an HTTP/1.1 server will use the Host: header to disambiguate the intended web service. As HTTP/1.1 usage has grown more prevalent, more ISPs are offering name-based virtual hosting, thus delaying IP address space exhaustion.

The Server Name Indication (SNI; RFC 3546, 3.1) gave a better solution to this problem in 2003 – the one still in use – so there has not been need for this anymore. The Upgrade header is still alive but used for different purposes like switching from HTTP/1.1 to HTTP/2.0 (RFC 7230, 6.7).

The HTTP protocol also has the Location header (RFC 7231, 7.1.2) with the related response codes, making it easy to redirect the client to another scheme, host and port, unlike the protocols that were using STARTTLS.

Also notice that using STARTTLS was not something good and desirable and something that should be adopted by more protocols. In fact, RFC 8314 now obsoletes the cleartext protocols for email submission and access, leaving MTA-to-MTA SMTP the only email protocol where STARTTLS should be used. From section 3:

– – Although this mechanism has been deployed, an alternate mechanism where TLS is negotiated immediately at connection start on a separate port (referred to in this document as "Implicit TLS") has been deployed more successfully. To encourage more widespread use of TLS and to also encourage greater consistency regarding how TLS is used, this specification now recommends the use of Implicit TLS for POP, IMAP, SMTP Submission, and all other protocols used between an MUA and an MSP.

Score:1
se flag

One reason might be that an additional STARTTLS would add more overhead since an additional round trip (request + response) is needed. The time from connection start to response is fairly critical with HTTP though and lots of optimizations where done to reduce this time, like shorter TLS handshake or different protocols like QUIC. Adding something like STARTTLS would increase the time instead and thus is not a good idea.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.