W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: Call for Adoption: Encrypted Content Encoding

From: Eliot Lear <lear@cisco.com>
Date: Mon, 30 Nov 2015 13:18:06 +0100
To: Roland Zink <roland@zinks.de>, ietf-http-wg@w3.org
Message-ID: <565C3E7E.8080705@cisco.com>
Hi Roland,

On 11/30/15 12:50 PM, Roland Zink wrote:
> How is this different from the current web model allowing ads to be
> served from everywhere? There is no guarantee that the content can't
> be hijacked.
I would say that those who reference those ads have a certain
responsibility to see that they are clean, but other than that I'm not
sure how the question is relevant.  The approach introduces a new vector
and it should thus be addressed.

>> But I would suggest that there are mitigations to this attack, one such
>> being that the content is attested to by a malware protection system
>> (McAfee, Kaspersky, etc) such that server might trust it, and might
>> otherwise reject such content.
> Do you want to allow third parties access to the content?

"Want" may be a bit strong.  Would I suffer it?  Possibly.  I would not
want to receive infected content.  But heck, what I wrote above was
meant more as way to prove to myself, if nobody else, that there is at
least one approach that can be employed to mitigate the threat.  Whether
server administrators use that method is another story.  Whether there
are other approaches is also a very fair question as far as I am concerned.

Eliot


Received on Monday, 30 November 2015 12:18:37 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC