- From: Mark Nottingham <mnot@mnot.net>
- Date: Tue, 1 Oct 2013 16:00:32 +1000
- To: Eliot Lear <lear@cisco.com>
- Cc: "ietf-http-wg@w3.org WG" <ietf-http-wg@w3.org>
On 01/10/2013, at 3:57 PM, Eliot Lear <lear@cisco.com> wrote: > That is not what I call a strong indication. Want to test its > effectiveness with users? I'm not disagreeing with you. Then again, it's already possible to perform this attack; the only difference is that the hostname will change (or not, depending on how IRIs are handled, and how creative the attacker is). Stronger mitigation is indeed necessary, although I disagree with your characterisation of only having three possible ways forward. >> It merely says "http protocol over TLS/SSL." That's what's happening here. >> >> More to the point, this draft is proposing a pretty fundamental change to how URI schemes map to protocols and ports, and so some adjustment of scheme and port semantics ought to be expected. > > Not to the detriment of TLS. Of course. We'll need to define that, though. Regards, -- Mark Nottingham http://www.mnot.net/
Received on Tuesday, 1 October 2013 06:01:00 UTC