W3C home > Mailing lists > Public > public-html-commits@w3.org > July 2009

html5/spec Overview.html,1.2693,1.2694

From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
Date: Wed, 29 Jul 2009 08:40:44 +0000
To: public-html-commits@w3.org
Message-Id: <E1MW4iK-0008D6-OW@lionel-hutz.w3.org>
Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv31546

Modified Files:
Log Message:
Mention the case of a previously-CA-signed-cert page turning into a self-signed-cert page. (whatwg r3495)

Index: Overview.html
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.2693
retrieving revision 1.2694
diff -u -d -r1.2693 -r1.2694
--- Overview.html	29 Jul 2009 08:04:16 -0000	1.2693
+++ Overview.html	29 Jul 2009 08:40:41 -0000	1.2694
@@ -4494,6 +4494,11 @@
   erroneous certificates or must act as if such resources were in fact
   served with no encryption.</p>
+  <p>User agents should warn the user that there is a potential
+  problem whenever the user visits a page that the user has previously
+  visited, if the page uses less secure encryption on the second
+  visit.</p>
   <p>Not doing so can result in users not noticing man-in-the-middle
@@ -4515,6 +4520,12 @@
    from a different host and only apply man-in-the-middle attacks to
    that host, for example taking over scripts in the page.</p>
+   <p>If a user bookmarks a site that uses a CA-signed certificate,
+   and then later revisits that site directly but the site has started
+   using a self-signed certificate, the user agent could warn the user
+   that a man-in-the-middle attack is likely underway, instead of
+   simply acting as if the page was not encrypted.</p>
Received on Wednesday, 29 July 2009 08:40:53 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:09:24 UTC