- From: Zhong Yu <zhong.j.yu@gmail.com>
- Date: Wed, 18 Jul 2012 11:21:13 -0500
- To: Henry Story <henry.story@bblfish.net>
- Cc: Mike Belshe <mike@belshe.com>, grahame@healthintersections.com.au, "Adrien W. de Croy" <adrien@qbik.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
That's nice, but I don't think content tempering is a major concern in this discussion. On Wed, Jul 18, 2012 at 11:09 AM, Henry Story <henry.story@bblfish.net> wrote: > > On 18 Jul 2012, at 18:03, Zhong Yu wrote: > >> If TLS is mandated, yet NULL cipher is acceptable, what was the point >> of mandating TLS in the first place? > > You get the security that the information was not corrupted along the way. > The User experience really needs to make that visible, but that's not a problem > with TLS. > > >> >> On Tue, Jul 17, 2012 at 11:24 PM, Mike Belshe <mike@belshe.com> wrote: >>> >>> >>> On Tue, Jul 17, 2012 at 9:20 PM, Grahame Grieve <grahame@kestral.com.au> >>> wrote: >>>> >>> Naw - this is not a big deal. For instance, a server can send a NULL cipher >>> to the client. In normal modes, browsers will reject the NULL cipher and >>> not negotiate it. however, you can use command line flags to allow it. >>> >>> We do this all the time. Another example is for turning on >>> same-origin-policy. Browsers often have debugging modes for turning it off. >>> You have to run the browser in a special, techie, opt-in way to do it, but >>> it is there. >>> >>> I used these all the time when developing in Chrome. >>> >>> Mike >>> >>> >>>> >>>> >>>> Grahame >>> >>> >> > > Social Web Architect > http://bblfish.net/ >
Received on Wednesday, 18 July 2012 16:21:41 UTC