W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Adam Barth <abarth@cs.stanford.edu>
Date: Tue, 10 Feb 2009 17:02:09 -0800
Message-ID: <7789133a0902101702n2a441586yf22af5212236a46d@mail.gmail.com>
To: www-talk@w3.org
Cc: Thomas Roessler <tlr@w3.org>, Eran Hammer-Lahav <blade@yahoo-inc.com>, ietf-http-wg@w3.org, discuss@apps.ietf.org, Collin Jackson <collinj@cs.stanford.edu>, Mark Nottingham <mnot@yahoo-inc.com> 

On Tue, Feb 10, 2009 at 4:31 PM, Mark Nottingham <mnot@yahoo-inc.com> wrote:
> Well, the authority is host + port; common sense tells us that it's unlikely
> that the same (host, port) tuple that we speak HTTP on is also going to
> support SMTP or XMPP. I'm not saying that common sense is universal,
> however.

These assumptions are often violated in attack scenarios, especially
by active network attackers who are very capable of hiding the honest
https://example.com server behind a spoofed http://example.com:443
server.

Adam
Received on Wednesday, 11 February 2009 08:49:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:38:52 GMT