W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: The TLS hammer and resource integrity

From: Adrien W. de Croy <adrien@qbik.com>
Date: Wed, 28 Mar 2012 08:29:46 +0000
To: "Henry Story" <henry.story@bblfish.net>, "Willy Tarreau" <w@1wt.eu>
Cc: "Martin Thomson" <martin.thomson@gmail.com>, "HTTP Working Group" <ietf-http-wg@w3.org>
Message-Id: <em98e1e1ad-87d7-46d8-a78a-fdb7c26a5851@boist>

------ Original Message ------
From: "Henry Story" <henry.story@bblfish.net>
>
>So your argument is stronger, since you argue that a lot of computers are malware
>infested. Of course there the thing to do is for banks to add other methods of
>verification or notification,
>
you're right on this count.  One of my banks used to rely just on 
SSL/TLS.
  
Now I have to carry a watch-word around... in fact 3 of them for my 3 
banks.
  
Are you suggesting websites should all start issuing physical security 
devices so that people can enjoy their site with REAL security
  
or are you happy with the illusion.
  
Maybe a better metaphor would have been the Matrix.
  
We're not looking for blue pills here.
  
>>
>>
>>We'll just lower the overall security by applying the same security
>>enforcement to all sites. Connecting to your bank or to you WiFi
>>router's admin page will look equally safe.
>>
>
>
>Ah it is the "look" of security that is worrying you? Going to a bank should
>"look" more secure that your router's admin page? But your router admin page
>should be just as secure as the bank if possible, since that is another vector
>of attack.
>
  
he meant the opposite.  We're not interested in something masquerading 
as security.  If we're going to place the cost on the world, it needs 
to provide actual security.
  
  
  
>>
>>I don't think this is the
>>intent of this move, really.
>>
>>Willy
>>
>>
>
>
>Social Web Architect
>http://bblfish.net/
>
>
>
>
Received on Wednesday, 28 March 2012 08:30:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:57 GMT