[stanleydrew]

This is a strange comment. SPDY benefits everyone who uses it, not just Google. And actually, for any site with authentication plain HTTP does not do the job, since all requests that pass authentication information should be encrypted. So HTTPS is a requirement and if SPDY can help make HTTPS faster then everyone wins.

[xyzzyz]

SPDY benefits everyone who uses it, not just Google.

You seem to not notice the elephant in the room, being the mandatory TLS encryption.

[jrockway]

What's wrong with mandatory encryption? Do you still use rsh to log in to your servers?

[xyzzyz]

What's wrong with mandatory encryption?

Some people say that it uses too much computational resources, for instance. Others complain that mandatory TLS increases latency by one additional RTT. Mandatory TLS is a biggest point of conflict at the IETF discussion about SPDY being the HTTP successor (at least from what I heard), though many sides disagree for evil reasons.

Do you still use rsh to log in to your servers?

Does this question add anything of value to the discussion?

[harshreality]

Those people are living in a fantasy world where governments or ISPs do not care about what their citizens or customers are browsing and are not doing wholesale traffic proxying/collection. In that fantasy world, it's rare for companies who should know better to serve login pages over insecure connections.

SSL also prevents doing MITM to serve malicious content to browsers to exploit browser or plugin vulnerabilities. Universal SSL would mean attackers would have to get you to visit their site, or a site that includes content that they control.

[jrockway]

Does this question add anything of value to the discussion?

Yes. If you are the "I hate encryption because it messes with my tinfoil hat" type, you'll get all angry and not reply. For anyone else, the question is just a minor annoyance to wade through ;)

[xyzzyz]

If you wonder whether your disputant may be tinfoil hat type, the exploratory questions to verify this conjecture may make your disputant not want to discuss with you any longer, because it's kind of distasteful.

[jrockway]

That's why I added a smiley face at the end.

[jvehent]

Just because some poorly trained engineers don't understand the concept of security should not force the rest of us to use strong, and slow, encryption. Encrypting the wire should only be used to solve very specific problem. Often, encrypting the data in the application, and transmitting over cleartext http, is better.

I understand those concepts, and that why I don't want SPDY to force me to use TLS everywhere. It's just overkill and cumbersome.