Re: Call for Adoption: Encrypted Content Encoding from Walter H. on 2015-12-01 (ietf-http-wg@w3.org from October to December 2015)

From: Walter H. <Walter.H@mathemainzel.info>
Date: Tue, 01 Dec 2015 09:22:01 +0100
To: Roland Zink <roland@zinks.de>
CC: Jim Manico <jim@manicode.com>, ietf-http-wg@w3.org
Message-ID: <565D58A9.5030804@mathemainzel.info>

On 01.12.2015 01:19, Roland Zink wrote:
> Am 01.12.2015 um 00:32 schrieb Jim Manico:
>> > TLS is also end-to-end
>>
>> No way is that true. TLS per the standard can be MITM'ed by proxies 
>> in ways that subvert both certificate pinning and HSTS in ways that 
>> do NOT inform the user in any browser today. I'm happy to provide 
>> references to this if you like.
>>
> The browser will build a end to end TLS tunnel through known proxies. 
> Intercepting proxies may do MITM and
and exact these intercepting proxies can't validate this content, if it 
contains malware or not;
as I said, THIS DRAFT IS NONSENS;


> RFC7469 says it is allowed for clients to turn off pin validation 
> based on some policy and still be compliant. Is this what you want to 
> reference?
>
> However it is also compliant to not do this and do pin validation.
>
what does this help preventing clients receiving malware, that will be 
raised through this draft?

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Tuesday, 1 December 2015 08:22:33 UTC