W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: Call for Adoption: Encrypted Content Encoding

From: Walter H. <Walter.H@mathemainzel.info>
Date: Tue, 01 Dec 2015 09:22:01 +0100
Message-ID: <565D58A9.5030804@mathemainzel.info>
To: Roland Zink <roland@zinks.de>
CC: Jim Manico <jim@manicode.com>, ietf-http-wg@w3.org
On 01.12.2015 01:19, Roland Zink wrote:
> Am 01.12.2015 um 00:32 schrieb Jim Manico:
>> > TLS is also end-to-end
>> No way is that true. TLS per the standard can be MITM'ed by proxies 
>> in ways that subvert both certificate pinning and HSTS in ways that 
>> do NOT inform the user in any browser today. I'm happy to provide 
>> references to this if you like.
> The browser will build a end to end TLS tunnel through known proxies. 
> Intercepting proxies may do MITM and
and exact these intercepting proxies can't validate this content, if it 
contains malware or not;

> RFC7469 says it is allowed for clients to turn off pin validation 
> based on some policy and still be compliant. Is this what you want to 
> reference?
> However it is also compliant to not do this and do pin validation.
what does this help preventing clients receiving malware, that will be 
raised through this draft?

Received on Tuesday, 1 December 2015 08:22:33 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC