- From: Adam Barth <abarth@cs.stanford.edu>
- Date: Tue, 10 Feb 2009 17:02:09 -0800
- To: www-talk@w3.org
- Cc: Thomas Roessler <tlr@w3.org>, Eran Hammer-Lahav <blade@yahoo-inc.com>, ietf-http-wg@w3.org, discuss@apps.ietf.org, Collin Jackson <collinj@cs.stanford.edu>, Mark Nottingham <mnot@yahoo-inc.com>
On Tue, Feb 10, 2009 at 4:31 PM, Mark Nottingham <mnot@yahoo-inc.com> wrote: > Well, the authority is host + port; common sense tells us that it's unlikely > that the same (host, port) tuple that we speak HTTP on is also going to > support SMTP or XMPP. I'm not saying that common sense is universal, > however. These assumptions are often violated in attack scenarios, especially by active network attackers who are very capable of hiding the honest https://example.com server behind a spoofed http://example.com:443 server. Adam
Received on Wednesday, 11 February 2009 01:02:46 UTC