Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

On Tue, Feb 10, 2009 at 4:31 PM, Mark Nottingham <mnot@yahoo-inc.com> wrote:
> Well, the authority is host + port; common sense tells us that it's unlikely
> that the same (host, port) tuple that we speak HTTP on is also going to
> support SMTP or XMPP. I'm not saying that common sense is universal,
> however.

These assumptions are often violated in attack scenarios, especially
by active network attackers who are very capable of hiding the honest
https://example.com server behind a spoofed http://example.com:443
server.

Adam

Received on Wednesday, 11 February 2009 01:02:46 UTC