- From: Jeffrey Walton <noloader@gmail.com>
- Date: Thu, 19 Feb 2015 14:43:27 -0500
- To: Bjoern Hoehrmann <derhoermi@gmx.net>
- Cc: public-webapps WG <public-webapps@w3.org>
On Thu, Feb 19, 2015 at 1:44 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote: > * Jeffrey Walton wrote: >>Here's yet another failure that Public Key Pinning should have >>stopped, but the browser's rendition of HPKP could not stop because of >>the broken security model: >>http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/. > > In this story the legitimate user with full administrative access to the > systems is Lenovo. I do not really see how actual user agents could have > "stopped" anything here. Timbled agents that act on behalf of someone > other than the user might have denied users their right to modify their > system as Lenovo did here, but that is clearly out of scope of browsers. > -- Like I said, the security model is broken and browser based apps can only handle low value data. Jeff
Received on Thursday, 19 February 2015 19:43:55 UTC