W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Thu, 14 Nov 2013 18:57:38 +0000
Message-ID: <52851D22.5010704@cs.tcd.ie>
To: Tao Effect <contact@taoeffect.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 11/14/2013 06:07 PM, Tao Effect wrote:
> 2. A false sense of security is _worse_ than knowing you aren't
> secure.

Protocols do not give any "sense of security" neither true nor
false so attempting to argue from that basis is a fallacy IMO.

If an example helps, some of the very earliest browsers used to
generate session keys very badly - no matter how secure the protocol
had been it'd have made no difference. And afaik there's no way to
give a "sense of security" that'd capture that.

The whole "false sense of security" argument is basically bogus
in this context, it could perhaps be meaningful in a UI developer
discussion, but not here, no matter how good it sounds.

S.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQEcBAEBAgAGBQJShR0fAAoJEC88hzaAX42iZfoH/iXT+3wLrUsJoJyuDMBKJFU1
NrrAoiOmiEcv6Tmyg/eNfE61s5csXukldC9GzobGzfiYk4UD7IklmO+It0APZL0w
/14TQpjekDExDZsSUFwtRBY6+aVsIIfihsJw0YUuiI5RVfTQ87Nm+VGqdUi5+zsz
VTjZj2BW4dXN78jGGioJN8qeZ2oZ+53db9iinzowqKBF0FD0tCcoFkDOTxBP7Wbo
+09JLAlWINYVll8XcZbJpRcs7uFRm56rlGhAY25aPsZRPOoFmCnYyM9nJJO6QXba
3AUlmo91gkIT0eemi1eDGGlbUNC1SblKDj02Ecmlnjhng1S0sTzlgTBH7J3DIyg=
=T4O1
-----END PGP SIGNATURE-----
Received on Thursday, 14 November 2013 18:58:06 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC