- From: Albert Lunde <atlunde@panix.com>
- Date: Tue, 19 Nov 2013 08:33:14 -0600
- To: HTTP Working Group <ietf-http-wg@w3.org>
I'm not sure how "opportunistic encryption" of traffic without validation of server certificates would be defended against active man-in-middle attacks. (Not unlike the attack on Tor, or less elaborate sorts of DNS spoofing.) https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html It's outside the HTTP protocol as such, but without additional security measures, such as have already been mentioned, using TLS without server validation seems fundamentally unreliable. With so much of JavaScript and Flash security based on "trusted" origins, the browser environment seems at risk from server spoofing or session hijacking by various bad actors. The "mixed content" risks come from a more complicated mix of threats than passive eavesdropping alone. This may be mostly the outside this working group's activity but it at least bears on security considerations. Plaintext HTTP still seems like it might be useful, but the contexts where that is true are getting more specialized. At the same time, TLS is not a cure-all.
Received on Tuesday, 19 November 2013 14:33:40 UTC