W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: Call for Adoption: Encrypted Content Encoding

From: Walter H. <Walter.H@mathemainzel.info>
Date: Wed, 02 Dec 2015 16:34:21 +0100
Message-ID: <565F0F7D.8050204@mathemainzel.info>
To: Cory Benfield <cory@lukasa.co.uk>
CC: ietf-http-wg@w3.org
On 02.12.2015 16:04, Cory Benfield wrote:
>>> What I also said is that it reduces or removes certain other attack surfaces.
>> please be concret here, I don't see any reduction or removing of certain other attack surfaces;
> Sure. This drastically reduces the likelihood of intermediaries replacing a legitimate payload with a malware-ridden one,
why should  this be true?
you've forgotten something essential: anything in this draft can also be 
faked by intermediaries ..., so where is the guarantee the PDF or 
whatever is the real one you expect?

this should be enough to see, that this is ONLY an increase of the 
attack vector, and nothing else;

your example with PDF and bank: when this occurs we have another 
problem, which can't be prevented by this draft nor by something else ...

we should be realistic: an increase of attack vector and no new features 
is no useful use case; it is reason enough to destroy this draft;
>>> The reason we shouldn’t destroy this draft is because this draft doesn’t “only helps increasing the attack vector”.
>> let it me say in other words; I don't see any feature which is new and we hadn't already before …
> That cannot be accurate: you’ve just discussed some.
from the view of malware ...; from the view of good-ware there is no new 
feature, which already exists as alternative before;
encrypted .rar/.zip archives as example;




Received on Wednesday, 2 December 2015 15:34:48 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC