Re: [hrpc] HTTP status code for "access blocked to protect you against malware/phishing/etc"? from Ted Lemon on 2017-11-20 (ietf-http-wg@w3.org from October to December 2017)

From: Ted Lemon <mellon@fugue.com>
Date: Mon, 20 Nov 2017 11:58:02 +0000
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: ietf-http-wg@w3.org, hrpc@irtf.org
Message-Id: <AC236833-D123-4C2D-9D97-8FDD73C6AB75@fugue.com>

On Nov 20, 2017, at 6:37 AM, Stephane Bortzmeyer <bortzmeyer@nic.fr <mailto:bortzmeyer@nic.fr>> wrote:
> The only draft I've found about this specific idea is
> <https://datatracker.ietf.org/doc/draft-lemon-tls-blocking-alert/ <https://datatracker.ietf.org/doc/draft-lemon-tls-blocking-alert/>>,
> but it is TLS-specific.

I stopped pushing this after David Oran pointed out that there's no way to authenticate who is making the claim about why the content was blocked.   I think this is a bit of a flaw in the 451 code idea as well—if it's not signed by whoever is claiming authority to do the block, it can be used to tell the end user something that is not true and can be turned into an attack on whomever the blocking is attributed to.

Received on Monday, 20 November 2017 16:45:00 UTC