Re: Proposal: Marking HTTP As Non-Secure from Matthew Dempsky on 2014-12-19 (public-webappsec@w3.org from December 2014)

From: Matthew Dempsky <mdempsky@chromium.org>
Date: Thu, 18 Dec 2014 16:59:41 -0800
To: michael.martinez@xenite.org
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, public-webappsec@w3.org, security-dev@chromium.org, mozilla-dev-security@lists.mozilla.org, blink-dev <blink-dev@chromium.org>
Message-ID: <CAF52+S6mmmRLts7px1-E2-RZVoeJOtN6g7GYBnF+tks4pWUpzg@mail.gmail.com>

On Thu, Dec 18, 2014 at 4:22 PM, Michael Martinez <
michael.martinez@xenite.org> wrote:
>
>  The first article describes a Double Direct attack, which is an
> alternative to ARP poisoning.  HTTPS won't defend against the Double Direct
> method.
>

Sorry, but you're basing the claim that HTTPS won't defend against it on
what?  Do you understand how IP routing tables work and what the security
consequences of hijacking the IP transit of HTTPS connections are?  In
particular, do you understand how it affects SSL certificate host
validation?

Received on Friday, 19 December 2014 01:01:25 UTC