Re: How HTTP 2.0 mandatory security will actually reduce my personal security from Nicolas Mailhot on 2013-11-15 (ietf-http-wg@w3.org from October to December 2013)

From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Date: Fri, 15 Nov 2013 08:16:05 +0100
To: "Roberto Peon" <grmocg@gmail.com>
Cc: "Nicolas Mailhot" <nicolas.mailhot@laposte.net>, "Bruce Perens" <bruce@perens.com>, "HTTP Working Group" <ietf-http-wg@w3.org>
Message-ID: <6782ac89952bcbc3a127f037344c1b75.squirrel@arekh.dyndns.org>

Le Ven 15 novembre 2013 07:57, Roberto Peon a écrit :
> What is your threat model?

The threat model is
1. developer that makes information leak trough incompetence, laziness,
sloppiness or greed (cf all the info your average android app wants to
access)
2. attacker that does not need to penetrate target anymore can just
collect the leaked info at endpoints (see also: Snowden)
3. protocol that prevents anyone doing anything about it by default

-- 
Nicolas Mailhot

Received on Friday, 15 November 2013 07:16:33 UTC