W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: [blink-dev] Re: Proposal: Marking HTTP As Non-Secure

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 22 Dec 2014 13:05:09 +0100
Message-ID: <CADnb78g=F_wjCC9Y8vjFEuHjm3pk=nk3Sh0kwQX6pCM0vuG8sQ@mail.gmail.com>
To: Sigbjørn Vik <sigbjorn@opera.com>
Cc: Tyler Larson <tylerl@google.com>, blink-dev <blink-dev@chromium.org>, Chris Palmer <palmer@google.com>, WebAppSec WG <public-webappsec@w3.org>, security-dev@chromium.org, dev-security@lists.mozilla.org
On Wed, Dec 17, 2014 at 6:50 PM, Sigbjørn Vik <sigbjorn@opera.com> wrote:
>> What would happen exactly when
>> you visit e.g. google.com from the airport (connected to something
>> with a shitty captive portal)?
>
> Assuming interstitials were replaced with cache separation:
>
> The browser would detect that this isn't the same secure google you
> talked to yesterday, and not share any data you got from google
> yesterday with the captive portal. Once you reconnect to the authentic
> google, the browser would use the first set of data again.

How would the user distinguish this case from cookies expiring,
getting lost for some reason, or the monthly two-factor authentication
dance? This sounds very dangerous.

What if google.com uses certificate pinning?


-- 
https://annevankesteren.nl/
Received on Monday, 22 December 2014 12:05:37 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC