W3C home > Mailing lists > Public > public-wsc-wg@w3.org > January 2007

RE: use case: TLS Man in the Middle (ACTION-73)

From: Doyle, Bill <wdoyle@mitre.org>
Date: Mon, 22 Jan 2007 10:12:14 -0500
Message-ID: <518C60F36D5DBC489E91563736BA4B58013AEF68@IMCSRV5.MITRE.ORG>
To: "George Staikos" <staikos@kde.org>, "W3 Work Group" <public-wsc-wg@w3.org>

Cert problems and complexity - Is this why many sites are just using
http for the splash page and only encrypting credentials?

We had a long list of sites using http with credentials that had a
padlock. Many of these sites were banking or other high value sites
that only used http noting that the credentials were secure. Hope that
this direction is not a trend.

Bill D.
wdoyle@mitre.org


-----Original Message-----
From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of George Staikos
Sent: Sunday, January 21, 2007 10:21 PM
To: W3 Work Group
Subject: Re: use case: TLS Man in the Middle (ACTION-73)



www.usair.com was pushing out the certificate for www.usairways.com  
this weekend.  If high-profile sites like this are screwing up this  
badly, perhaps we need to take action on the UA side.  I really feel  
comfortable with the idea of completely blocking access to sites with  
misconfigured certificates like this.  Unfortunately it's another  
case of "we have to break all the browsers simultaneously".

On 9-Jan-07, at 11:50 AM, Thomas Roessler wrote:

>
> Another in the "specific interactions" department.
>
> Alice tries to connect to a web site at <https://www.example.com/>.
> Her user agent's TLS implementation detects that the domain name
> present in the certificate differs from www.example.com.
>
> Regards,
> -- 
> Thomas Roessler, W3C  <tlr@w3.org>
>

--
George Staikos
KDE Developer				http://www.kde.org/
Staikos Computing Services Inc.		http://www.staikos.net/
Received on Monday, 22 January 2007 15:12:33 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:13 UTC