W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2011

Re: AW: AW: AW: WebSocket API: close and error events

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 25 Oct 2011 22:32:31 +0000 (UTC)
To: Glenn Maynard <glenn@zewt.org>
cc: Tobias Oberstein <tobias.oberstein@tavendo.de>, Simon Pieters <simonp@opera.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.64.1110252231120.14432@ps20323.dreamhostps.com>
On Tue, 25 Oct 2011, Glenn Maynard wrote:
> On Tue, Oct 25, 2011 at 5:59 PM, Ian Hickson <ian@hixie.ch> wrote:
> >
> > That only makes sense if passive attack is significantly easier than 
> > active attack, which it is not.
> 
> Passive attacks are significantly easier to do without any risk of 
> discovery, especially on a large scale.

Sure, there are specific cases where one is easier than the other. There 
are also specific cases where it's easier to just send malware to the user 
than attempt a passive attack. That doesn't mean that we should just 
protect against malware and pretend that a passive attack is not a 
problem, just like we shouldn't pretend that active attacks are not a 
significant risk and thus should allow self-signed certs.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 25 October 2011 22:37:27 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:48 GMT