W3C home > Mailing lists > Public > public-webid@w3.org > September 2012

Fwd: [apps-discuss] WebFinger should be HTTPS only

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Tue, 11 Sep 2012 19:46:06 +0200
Message-ID: <CAKaEYhK6sNq9UMxq_+WLSsQmeJ_cpEfqbM9c7frONLfswT4QPw@mail.gmail.com>
To: public-webid <public-webid@w3.org>
---------- Forwarded message ----------
From: Mike Jones <Michael.Jones@microsoft.com>
Date: 11 September 2012 19:43
Subject: [apps-discuss] WebFinger should be HTTPS only
To: "apps-discuss@ietf.org" <apps-discuss@ietf.org>

 Having looked at the WebFinger specification a bit more, I recently
realized that it currently does not require TLS to be used.  Section 5.1 -
Performing a WebFinger Query – currently begins “The first step a client
must perform in executing a WebFinger query is to query for the host
metadata using HTTPS or HTTP”.  This concerns me, since this may enable
classes of phishing attacks in some situations.****

** **

I would therefore request that the specification be updated to prohibit
non-TLS connections.****

** **

                                                            Thank you,****

                                                            -- Mike****

** **

apps-discuss mailing list
Received on Tuesday, 11 September 2012 17:46:35 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:54:35 UTC