Hal Lockhart <hlockhar@bea.com>, 2006-12-04 13:30 -0800: > Case 0. User establishes TLS session, signs on with username/password > (usually with form post, sometimes http basic auth) server takes down > TLS for rest of session. > [Should we worry about this case? Although password is protected from > interception, there is no binding to rest of interaction allowing > session hijack, interception of app data, etc. User sees lock during > initial interaction and believes session is "secure." Do you have any examples of sites that actually do this? (Or can you create one for testing purposes?) Or can you descibe what browsers currently do when they encounter this case? --MikeReceived on Wednesday, 6 December 2006 12:09:34 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:44 GMT