W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: I revised the pro/contra document

From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Date: Tue, 26 Nov 2013 10:54:18 +0100
Message-ID: <78a1f135c1c08c2e5210b55526cefe32.squirrel@arekh.dyndns.org>
To: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
Cc: "Adrien de Croy" <adrien@qbik.com>, "Tim Bray" <tbray@textuality.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>

Le Lun 25 novembre 2013 14:22, Stephen Farrell a écrit :

> What I've been saying (repeatedly, sorry:-) is that if a
> solution for inbound malware scanning or similar is developed
> for HTTP, then that needs to be done without breaking TLS, and
> that standardising a generic MITM attack on TLS would mean
> breaking TLS, which is used by many more protocols than just
> HTTP.

If properly specced it won't break tls anymore than sending mail to
foo.com through tls.smtp.gmail.com (that does malware scanning) breaks tls
(though being able to do it with message encryption again, like in mail,
would be great)

The whole problem here is that browsers and web sites got used to thinking
of https as end-to-end when the http protocol is explicitely hop-by-hop,
and when the hop-by-hop nature of http reasserts itself they see it as an
attack they try to "fix" instead of faulty expectations.

-- 
Nicolas Mailhot
Received on Tuesday, 26 November 2013 09:54:54 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC