W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: Call for Adoption: Encrypted Content Encoding

From: Walter H. <Walter.H@mathemainzel.info>
Date: Tue, 01 Dec 2015 09:22:01 +0100
Message-ID: <565D58A9.5030804@mathemainzel.info>
To: Roland Zink <roland@zinks.de>
CC: Jim Manico <jim@manicode.com>, ietf-http-wg@w3.org
On 01.12.2015 01:19, Roland Zink wrote:
> Am 01.12.2015 um 00:32 schrieb Jim Manico:
>> > TLS is also end-to-end
>>
>> No way is that true. TLS per the standard can be MITM'ed by proxies 
>> in ways that subvert both certificate pinning and HSTS in ways that 
>> do NOT inform the user in any browser today. I'm happy to provide 
>> references to this if you like.
>>
> The browser will build a end to end TLS tunnel through known proxies. 
> Intercepting proxies may do MITM and
and exact these intercepting proxies can't validate this content, if it 
contains malware or not;
as I said, THIS DRAFT IS NONSENS;


> RFC7469 says it is allowed for clients to turn off pin validation 
> based on some policy and still be compliant. Is this what you want to 
> reference?
>
> However it is also compliant to not do this and do pin validation.
>
what does this help preventing clients receiving malware, that will be 
raised through this draft?



Received on Tuesday, 1 December 2015 08:22:33 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC