- From: Eliot Lear <lear@cisco.com>
- Date: Thu, 28 Feb 2013 08:31:33 +0100
- To: Amos Jeffries <squid3@treenet.co.nz>
- CC: ietf-http-wg@w3.org
On 2/28/13 6:58 AM, Amos Jeffries wrote: > > Can we take a step back folks and outline _exactly_ what it is that > needs protecting here? > > - the datum responded by DNS? > - the HTTP channel? > The case we're talking about is where http://www.example.com:8080 and https://www.example.com:4343 have the exact same content and services. You don't want a man in the middle to be able to force clients to 8080 when a more secure encrypted service is advertised. One simple way around this is not to have 8080 available for this purpose. Otherwise, you want to ensure the information you are getting from the DNS is accurate and complete. DNSSEC provides that capability. Eliot
Received on Thursday, 28 February 2013 07:32:02 UTC