W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2013

Re: Upgrade status for impl draft 1

From: Eliot Lear <lear@cisco.com>
Date: Thu, 28 Feb 2013 08:31:33 +0100
Message-ID: <512F07D5.7040107@cisco.com>
To: Amos Jeffries <squid3@treenet.co.nz>
CC: ietf-http-wg@w3.org

On 2/28/13 6:58 AM, Amos Jeffries wrote:

>
> Can we take a step back folks and outline _exactly_ what it is that
> needs protecting here?
>
>  - the datum responded by DNS?
>  - the HTTP channel?
>

The case we're talking about is where http://www.example.com:8080 and
https://www.example.com:4343 have the exact same content and services. 
You don't want a man in the middle to be able to force clients to 8080
when a more secure encrypted service is advertised.  One simple way
around this is not to have 8080 available for this purpose.  Otherwise,
you want to ensure the information you are getting from the DNS is
accurate and complete.  DNSSEC provides that capability.

Eliot
Received on Thursday, 28 February 2013 07:32:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 28 February 2013 07:32:03 GMT