Re: Proposal: Marking HTTP As Non-Secure from Daniel Kahn Gillmor on 2014-12-18 (public-webappsec@w3.org from December 2014)

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Thu, 18 Dec 2014 18:07:08 -0500
To: michael.martinez@xenite.org, public-webappsec@w3.org, security-dev@chromium.org, mozilla-dev-security@lists.mozilla.org, blink-dev@chromium.org
Message-ID: <54935E1C.9060605@fifthhorseman.net>

On 12/18/2014 05:55 PM, Michael Martinez wrote:
> No it doesn't need a certificate.  A MITM can be executed through a
> compromised or rogue router.  It's simple enough to set up a public
> network in  well-known wifi hotspots and attract unwitting users. Then
> the HTTPS doesn't protect anyone's transmission from anything as the
> router forms the other end of the secure connection and initiates its
> own secure connection with the user's intended destination (either the
> site they are trying to get to or whatever site the bad guys want them
> to visit).

It sounds like you're saying that browsers don't verify the X.509
certificate presented by the https origin server, or at least that they
don't verify that the hostname matches.

This is a serious and extraordinary claim.  Please provide evidence for it.

 --dkg

Received on Thursday, 18 December 2014 23:07:40 UTC