- From: Henry Story <henry.story@bblfish.net>
- Date: Wed, 18 Jul 2012 18:26:24 +0200
- To: Zhong Yu <zhong.j.yu@gmail.com>
- Cc: Mike Belshe <mike@belshe.com>, grahame@healthintersections.com.au, "Adrien W. de Croy" <adrien@qbik.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 18 Jul 2012, at 18:21, Zhong Yu wrote: > That's nice, but I don't think content tempering is a major concern in > this discussion. It is extremely important to the security of the whole web. Currently most sites serving web pages over plain HTTP can be man in the middle attacked. So you read a blog post of a good friend of yours who is talking about some web site, and a man in the middle changes a key link to go to a site that resembles very much the site of the shop he spoke about but is in fact a pirate shop. Even if all web sites were to move to null cypher suites, the value in security to the whole web would be gigantic I believe. Henry > > On Wed, Jul 18, 2012 at 11:09 AM, Henry Story <henry.story@bblfish.net> wrote: >> >> On 18 Jul 2012, at 18:03, Zhong Yu wrote: >> >>> If TLS is mandated, yet NULL cipher is acceptable, what was the point >>> of mandating TLS in the first place? >> >> You get the security that the information was not corrupted along the way. >> The User experience really needs to make that visible, but that's not a problem >> with TLS. >> >> >>> >>> On Tue, Jul 17, 2012 at 11:24 PM, Mike Belshe <mike@belshe.com> wrote: >>>> >>>> >>>> On Tue, Jul 17, 2012 at 9:20 PM, Grahame Grieve <grahame@kestral.com.au> >>>> wrote: >>>>> >>>> Naw - this is not a big deal. For instance, a server can send a NULL cipher >>>> to the client. In normal modes, browsers will reject the NULL cipher and >>>> not negotiate it. however, you can use command line flags to allow it. >>>> >>>> We do this all the time. Another example is for turning on >>>> same-origin-policy. Browsers often have debugging modes for turning it off. >>>> You have to run the browser in a special, techie, opt-in way to do it, but >>>> it is there. >>>> >>>> I used these all the time when developing in Chrome. >>>> >>>> Mike >>>> >>>> >>>>> >>>>> >>>>> Grahame >>>> >>>> >>> >> >> Social Web Architect >> http://bblfish.net/ >> Social Web Architect http://bblfish.net/
Received on Wednesday, 18 July 2012 16:26:59 UTC