Re: Fwd (TAG): Draft finding - "Transitioning the Web to HTTPS"

Chris Palmer wrote:
>
> Eric J. Bowman wrote:
> 
> >> TLS is the transport layer security protocol we have. It is widely
> >> supported and deployed.
> >
> > So is HTTP-Digest. Whether content is encrypted or not,
> > Authentication headers seem a better solution to me than
> > HTTPS-secured cookies.
> 
> Please explain how HTTP-Digest is robust against active network
> attackers tampering with the HTTP requests and responses (including
> both headers and bodies).
> 

Please explain how HTTPS is robust against same. A compromised CA or a
compromised "security device" allows attackers to tamper with HTTPS
requests and responses on a large scale, as easily as if it were HTTP.

What's needed is an integrity check; if we had one, HTTP Auth would be
no less effective than HTTPS for the bulk of traffic we're trying to
keep private.

Checking my bank account would still require HTTPS, but the same missing
mechanism for ensuring that's really an unadulterated page from my bank,
could also be used to mitigate most of the concerns regarding "brochure"
content that doesn't need TLS encryption.

-Eric

Received on Wednesday, 31 December 2014 02:05:23 UTC