Re: The TLS hammer and resource integrity from Martin Thomson on 2012-03-28 (ietf-http-wg@w3.org from January to March 2012)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 28 Mar 2012 15:11:05 +0200
To: Roberto Peon <grmocg@gmail.com>
Cc: Willy Tarreau <w@1wt.eu>, Henry Story <henry.story@bblfish.net>, "Adrien W. de Croy" <adrien@qbik.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABkgnnUgWrbwdTjgUmTQ1awCg=fUbJrAHhwGc=D0XC5xQz0U4w@mail.gmail.com>

On 28 March 2012 13:43, Roberto Peon <grmocg@gmail.com> wrote:
> If you make
> SSL implementation optional on the server side, you suffer from a downgrade
> attack whereby an intermediary (potentially malicious), denies you all
> security on the communications channel.
> If this decision is made, it must be made by the client for the
> client<->intermediary connection.

You can't downgrade https:// URIs now because it is non-negotiable, so
what's the threat model here?

Received on Wednesday, 28 March 2012 13:11:39 UTC