W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2011

Re: [XHR] chunked requests

From: Anne van Kesteren <annevk@opera.com>
Date: Sat, 17 Dec 2011 15:11:45 +0100
To: public-webapps@w3.org
Cc: "Eric Rescorla" <ekr@rtfm.com>
Message-ID: <op.v6m0dvac64w2qv@annevk-macbookpro.local>
On Fri, 09 Dec 2011 19:54:31 +0100, Eric Rescorla <ekr@rtfm.com> wrote:
> Unfortunately, many servers do not support TLS 1.1, and to make matters
> worse, they do so in a way that is not securely verifiable. By which I  
> mean that an active attacker can force a client/server pair both of  
> which support TLS 1.1 down to TLS 1.0. This may be detectable in some  
> way, but not
> by TLS's built-in mechanisms. And since the threat model here is an  
> active attacker, this is a problem.

It seems user agents are addressing this issue in general by simply  
removing support for those servers so we might not have to define anything  
here and just leave it to the TLS standards:

http://my.opera.com/securitygroup/blog/2011/12/11/opera-11-60-and-new-problems-with-some-secure-servers


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Saturday, 17 December 2011 14:12:26 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:49 GMT