- From: Mark Nottingham <mnot@mnot.net>
- Date: Mon, 6 Aug 2012 16:16:48 -0500
- To: Willy Tarreau <w@1wt.eu>
- Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On 06/08/2012, at 4:14 PM, Willy Tarreau <w@1wt.eu> wrote: >> Right. That's a big change from the semantics of HTTPS today, though; right >> now, when I see that, I know that I have end-to-end TLS. > > No, you *believe* you do, you really don't know. That's clearly the problem > with the way it works, man-in-the middle proxies are still able to intercept > it and to forge certs they sign with their own CA and you have no way to know > if your communications are snooped or not. It's a really big logical leap from the existence of an attack to changing the fundamental semantics of the URI scheme. And, that's what a MITM proxy is -- it's not legitimate, it's not a recognised role, it's an attack. We shouldn't legitimise it. Cheers, -- Mark Nottingham http://www.mnot.net/
Received on Monday, 6 August 2012 21:17:11 UTC