W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: [blink-dev] Re: Proposal: Marking HTTP As Non-Secure

From: Chris Palmer <palmer@google.com>
Date: Thu, 18 Dec 2014 16:17:44 -0800
Message-ID: <CAOuvq20J0dwcQm4zMFm+KL949Hy5yJ5xTvcM6KTmqMEe-K0-fw@mail.gmail.com>
To: michael.martinez@xenite.org
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>, security-dev <security-dev@chromium.org>, mozilla-dev-security@lists.mozilla.org, blink-dev <blink-dev@chromium.org>
On Thu, Dec 18, 2014 at 4:08 PM, Michael Martinez
<michael.martinez@xenite.org> wrote:

> A Study of SSL Proxy Attacks on Android and iOS Mobile Applications
> http://harvey.binghamton.edu/~ychen/CCNC2014_SSL_Attacks.pdf

That paper describes bugs in the certificate validation procedures *of
specific clients*. (Note that the authors call out the fact that the
clients in question are *not* browsers.)

That doesn't mean the protocol is fundamentally flawed; it means those
particular non-browser clients have bugs.

If you can find such a bug in Chrome (or Firefox, or other browser),
you should report the flaw to the vendor. Google offers money in
reward for such findings:

https://www.google.com/about/appsecurity/chrome-rewards/index.html

If you can find one, we would consider such a finding to be a high-priority bug.
Received on Friday, 19 December 2014 00:18:12 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC