- From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
- Date: Tue, 26 Nov 2013 10:54:18 +0100
- To: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
- Cc: "Adrien de Croy" <adrien@qbik.com>, "Tim Bray" <tbray@textuality.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Le Lun 25 novembre 2013 14:22, Stephen Farrell a écrit : > What I've been saying (repeatedly, sorry:-) is that if a > solution for inbound malware scanning or similar is developed > for HTTP, then that needs to be done without breaking TLS, and > that standardising a generic MITM attack on TLS would mean > breaking TLS, which is used by many more protocols than just > HTTP. If properly specced it won't break tls anymore than sending mail to foo.com through tls.smtp.gmail.com (that does malware scanning) breaks tls (though being able to do it with message encryption again, like in mail, would be great) The whole problem here is that browsers and web sites got used to thinking of https as end-to-end when the http protocol is explicitely hop-by-hop, and when the hop-by-hop nature of http reasserts itself they see it as an attack they try to "fix" instead of faulty expectations. -- Nicolas Mailhot
Received on Tuesday, 26 November 2013 09:54:54 UTC