W3C home > Mailing lists > Public > public-html-diffs@w3.org > July 2009

hixie: Mention the case of a previously-CA-signed-cert page turning into a self-signed-cert page. (whatwg r3495)

From: poot <cvsmail@w3.org>
Date: Wed, 29 Jul 2009 17:41:01 +0900 (JST)
To: public-html-diffs@w3.org
Message-Id: <20090729084101.F00A72BC37@toro.w3.mag.keio.ac.jp>
hixie: Mention the case of a previously-CA-signed-cert page turning into
a self-signed-cert page. (whatwg r3495)

http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.2693&r2=1.2694&f=h
http://html5.org/tools/web-apps-tracker?from=3494&to=3495

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.2693
retrieving revision 1.2694
diff -u -d -r1.2693 -r1.2694
--- Overview.html	29 Jul 2009 08:04:16 -0000	1.2693
+++ Overview.html	29 Jul 2009 08:40:41 -0000	1.2694
@@ -4494,6 +4494,11 @@
   erroneous certificates or must act as if such resources were in fact
   served with no encryption.</p>
 
+  <p>User agents should warn the user that there is a potential
+  problem whenever the user visits a page that the user has previously
+  visited, if the page uses less secure encryption on the second
+  visit.</p>
+
   <p>Not doing so can result in users not noticing man-in-the-middle
   attacks.</p>
 
@@ -4515,6 +4520,12 @@
    from a different host and only apply man-in-the-middle attacks to
    that host, for example taking over scripts in the page.</p>
 
+   <p>If a user bookmarks a site that uses a CA-signed certificate,
+   and then later revisits that site directly but the site has started
+   using a self-signed certificate, the user agent could warn the user
+   that a man-in-the-middle attack is likely underway, instead of
+   simply acting as if the page was not encrypted.</p>
+
   </div>
Received on Wednesday, 29 July 2009 08:41:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 18 December 2010 06:14:07 GMT