Hacker News new | ask | show | jobs
by AnthonyMouse 640 days ago
That's assuming you can (and know how to) turn off the warnings.

And many browsers do warn for self-signed certificates even on local IPs. They may not warn for unencrypted connections -- which is a weird choice given that TLS with a self-signed certificate is still more secure (e.g. against passive eavesdroppers) than unencrypted HTTP -- but HTTP/3 doesn't support unencrypted connections or self-signed certificates.
1 comments
Dylan16807 640 days ago
My argument is just that you can still screw around easily. I'm not worried about HTTP/1 going away soon.
link
AnthonyMouse 639 days ago
Sometimes it's worth considering what the long-term implications of something are.

HTTP/3 is likely to become widely adopted over time, if for no other reason than that people install software updates and it becomes the default once popular browsers and web servers add support. People may even like the new features.

Then we get some new security vulnerabilities that get fixed in HTTP/3 but not older versions, and by then only a minority of sites use the older versions, so they get a warning. That spurs most of the holdouts to switch to the new version because they can't have scary browser warnings driving users away from their site. Which in turn allows the older versions to be fully deprecated and ultimately removed. And that's more likely here because the code for handling TCP and UDP are quite different and people aren't going to want to maintain the former if hardly anybody is using it.

It'll be years before that happens, but if a problem is foreseeable then maybe we should demand a solution contemporaneously with the creation of the problem instead of foisting it on the kids.

link
Dylan16807 639 days ago
The current trend as far as I can tell is that it's easier than it used to be to host a web server. So that also has long term implications.

It's really tricky to predict exactly what web servers will do, but I don't see any reason to think it well ever be hard to set one up. You're fixating on a very specific warning and the way you're extrapolating into the future assumes that half the software changes but the other half doesn't. It just doesn't work well to predict things. And we already have solutions, they're just used less because HTTP/1 is so easy.

Another thing to consider is that the number of household devices that need access is growing rapidly. We're not going to break them all.

link