W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Matthew Dempsky <mdempsky@chromium.org>
Date: Thu, 18 Dec 2014 16:59:41 -0800
Message-ID: <CAF52+S6mmmRLts7px1-E2-RZVoeJOtN6g7GYBnF+tks4pWUpzg@mail.gmail.com>
To: michael.martinez@xenite.org
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, public-webappsec@w3.org, security-dev@chromium.org, mozilla-dev-security@lists.mozilla.org, blink-dev <blink-dev@chromium.org>
On Thu, Dec 18, 2014 at 4:22 PM, Michael Martinez <
michael.martinez@xenite.org> wrote:
>
>  The first article describes a Double Direct attack, which is an
> alternative to ARP poisoning.  HTTPS won't defend against the Double Direct
> method.
>

Sorry, but you're basing the claim that HTTPS won't defend against it on
what?  Do you understand how IP routing tables work and what the security
consequences of hijacking the IP transit of HTTPS connections are?  In
particular, do you understand how it affects SSL certificate host
validation?
Received on Friday, 19 December 2014 01:01:25 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC