W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: A proposal

From: Albert Lunde <atlunde@panix.com>
Date: Tue, 19 Nov 2013 08:33:14 -0600
Message-ID: <528B76AA.7090208@panix.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
I'm not sure how "opportunistic encryption" of traffic without 
validation of server certificates would be defended against active 
man-in-middle attacks. (Not unlike the attack on Tor, or less elaborate 
sorts of DNS spoofing.)

https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html

It's outside the HTTP protocol as such, but without additional security 
measures, such as have already been mentioned, using TLS without server 
validation seems fundamentally unreliable.

With so much of JavaScript and Flash security based on "trusted" 
origins, the browser environment seems at risk from server spoofing or 
session hijacking by various bad actors.  The "mixed content" risks come 
from a more complicated mix of threats than passive eavesdropping alone.

This may be mostly the outside this working group's activity but it at 
least bears on security considerations.

Plaintext HTTP still seems like it might be useful, but the contexts 
where that is true are getting more specialized. At the same time, TLS 
is not a cure-all.
Received on Tuesday, 19 November 2013 14:33:40 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC