Re: Draft finding - "Transitioning the Web to HTTPS" from Martin Thomson on 2014-12-15 (www-tag@w3.org from December 2014)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 15 Dec 2014 10:37:05 -0800
To: Yves Lafon <ylafon@w3.org>
Cc: Sam Ruby <rubys@intertwingly.net>, www-tag@w3.org
Message-ID: <CABkgnnVhtpRJwSaGXaGAQ3SNPzj_PS4SYNchJWmb188vPaih2Q@mail.gmail.com>

On 15 December 2014 at 08:11, Yves Lafon <ylafon@w3.org> wrote:
> I agree for localhost (if running on a privileged port)

Define "privileged port".  That's harder than it sounds, I'll bet.

I've always thought that it's probably OK to consider the threat model
to only include attackers that are remote, in this case.  I don't know
if we've ever really considered the threat model on the inside of a
machine.  Is that something we really need to consider?  Can the USB
device influence what is on loopback?

Received on Monday, 15 December 2014 18:37:31 UTC