Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01) from Adam Barth on 2009-02-11 (ietf-http-wg@w3.org from January to March 2009)

From: Adam Barth <abarth@cs.stanford.edu>
Date: Tue, 10 Feb 2009 17:02:09 -0800
To: www-talk@w3.org
Cc: Thomas Roessler <tlr@w3.org>, Eran Hammer-Lahav <blade@yahoo-inc.com>, ietf-http-wg@w3.org, discuss@apps.ietf.org, Collin Jackson <collinj@cs.stanford.edu>, Mark Nottingham <mnot@yahoo-inc.com>
Message-ID: <7789133a0902101702n2a441586yf22af5212236a46d@mail.gmail.com>

On Tue, Feb 10, 2009 at 4:31 PM, Mark Nottingham <mnot@yahoo-inc.com> wrote:
> Well, the authority is host + port; common sense tells us that it's unlikely
> that the same (host, port) tuple that we speak HTTP on is also going to
> support SMTP or XMPP. I'm not saying that common sense is universal,
> however.

These assumptions are often violated in attack scenarios, especially
by active network attackers who are very capable of hiding the honest
https://example.com server behind a spoofed http://example.com:443
server.

Adam

Received on Wednesday, 11 February 2009 01:02:46 UTC