W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: The TLS hammer and resource integrity

From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 28 Mar 2012 15:11:05 +0200
Message-ID: <CABkgnnUgWrbwdTjgUmTQ1awCg=fUbJrAHhwGc=D0XC5xQz0U4w@mail.gmail.com>
To: Roberto Peon <grmocg@gmail.com>
Cc: Willy Tarreau <w@1wt.eu>, Henry Story <henry.story@bblfish.net>, "Adrien W. de Croy" <adrien@qbik.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 28 March 2012 13:43, Roberto Peon <grmocg@gmail.com> wrote:
> If you make
> SSL implementation optional on the server side, you suffer from a downgrade
> attack whereby an intermediary (potentially malicious), denies you all
> security on the communications channel.
> If this decision is made, it must be made by the client for the
> client<->intermediary connection.

You can't downgrade https:// URIs now because it is non-negotiable, so
what's the threat model here?
Received on Wednesday, 28 March 2012 13:11:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:57 GMT