This pops up every time. I don't really get what he's trying to tell us here. If we forward HTTP requests to HTTPS and use HSTS on top we're basically doing what he wants, right?
As I understand it, he's suggesting that HTTP should incorporate something equivalent to STARTTLS as seen in some form in IMAP, POP3, FTP, LDAP, Postgres, and probably several others I'm forgrttingg
Well, that gave really bad results in SMTP IMAP, POP3, and LDAP. Postgres just does not suffer much because the client always knows wether to upgrade the connection or not.
Ideally, we should be using DANE or some other kind of signed broadcasted info. Telling the user what happened is just a very good workaround (that will stay useful even if we change to DANE).
> If we forward HTTP requests to HTTPS and use HSTS
Right, I think his point there was, the ecosystem has to make many changes to ensure the links are the "secure version": we create URLs with https, make browser changes to redirect (HSTS), use redirect in server software, etc.
With "just" HTTP, all URLs are uniform, but the protocol is modified upon connection to 'upgrade' the link to something secure, instead. HSTS maybe wouldn't be needed (or would take a slightly different form).
