- From: Eliot Lear <lear@cisco.com>
- Date: Thu, 28 Feb 2013 11:00:02 +0100
- To: Amos Jeffries <squid3@treenet.co.nz>
- CC: ietf-http-wg@w3.org
Received on Thursday, 28 February 2013 10:00:35 UTC
On 2/28/13 9:06 AM, Amos Jeffries wrote: > Fine. MITM have easy access to DNS to learn these details, same as the > client does. All they will do is intercept the HTTPS channel and > answer it from fetches sent to 8080, same as they do today. Status Quo. No that's a poorly written client, when it accepts plaintext while expecting TLS. Unless of course they the DO speak TLS with a fake or invalid cert. That **is** a problem but it is a problem, but not with the DNS mechanism. But to your main point, the draft introduces a usage case that can be dealt with in a number of different ways, and it is simply important to document both the concern and the remediation. Eliot
Received on Thursday, 28 February 2013 10:00:35 UTC