RE: Fwd: New Version Notification for draft-nottingham-http2-encryption-02.txt

From: Yoav Nir [mailto:synp71@live.com], Sunday, December 15, 2013 3:53 AM

> No scary UI means that a MitM or someone who has compromised the DNS can 
> hijack your connection, show a self-signed cert, and get no indication 
> to the user that something is wrong.  So (let's use hotmail, because not 
> all examples have to be gmail):
>
> http://hotmail.com  redirects to https://selfsigned.live.com  which has 
> a self-signed certificate, and everything looks fine.  Except it's an 
> attacker.

The problem is really the insecure redirect, not the use of a self-signed certificate. We could have: http://hotmail.com  redirects to https://recorder.dgse.fr  which has  a CA-signed certificate, and everything looks fine. The only protection against that one is to connect to "https://hotmail.com," and get an authentic redirect if needed. 

-- Christian Huitema

Received on Monday, 16 December 2013 00:38:42 UTC