- From: Fozi <notifications@github.com>
- Date: Thu, 06 Aug 2015 14:15:21 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/98/128511392@github.com>
@igrigorik I agree that the global list should be per page instance and per origin, kind of like the current page's cookies are. But if you say that it's useless because theoretically you can compromise it than one could say the same about HPKP or WBC. If someone does MITM then replacing the HPKP headers is trivial and would fool any browser that did not see this domain before. Accessing a 3rd party service is doing exactly that, already knowing the fingerprint would allow the detection of the MITM even on the first access. I'm not trying to replace HPKP, but complement it. As for the attack target, it is more efficient to do a MITM against the 3rd party service and get all connections to it then to MITM all it's clients and have to change the JS for each of those individually. The amount of compromised users is smaller and the effort is higher - the bar is raised. I believe that's a good thing. Also consider the case where the app is actually deployed at the client in a secure way, e.g. in a signed installer so it does not have that problem. The fingerprint it would use for the discovery server is in that package. --- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/98#issuecomment-128511392
Received on Thursday, 6 August 2015 21:16:13 UTC