W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Semantics of HTTPS

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 6 Aug 2012 16:16:48 -0500
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <0697836F-C4AD-4D89-AB5E-2C83B16A91AF@mnot.net>
To: Willy Tarreau <w@1wt.eu>

On 06/08/2012, at 4:14 PM, Willy Tarreau <w@1wt.eu> wrote:

>> Right. That's a big change from the semantics of HTTPS today, though; right
>> now, when I see that, I know that I have end-to-end TLS.
> 
> No, you *believe* you do, you really don't know. That's clearly the problem
> with the way it works, man-in-the middle proxies are still able to intercept
> it and to forge certs they sign with their own CA and you have no way to know
> if your communications are snooped or not.

It's a really big logical leap from the existence of an attack to changing the fundamental semantics of the URI scheme. And, that's what a MITM proxy is -- it's not legitimate, it's not a recognised role, it's an attack. We shouldn't legitimise it. 

Cheers,

--
Mark Nottingham
http://www.mnot.net/
Received on Monday, 6 August 2012 21:17:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 6 August 2012 21:17:17 GMT