W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: New Version Notification for draft-snell-httpbis-keynego-01.txt

From: Roberto Peon <grmocg@gmail.com>
Date: Tue, 19 Nov 2013 17:40:03 -0800
Message-ID: <CAP+FsNeRT3wU9shGxBOPtM+s-fu_BWzncJZwCu8_gZ+17Ks0DQ@mail.gmail.com>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Mark Nottingham <mnot@mnot.net>, James M Snell <jasnell@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
I'm not talking about protecting those images-- I'm saying that without
integrity *always*, a MITM can always downgrade anything, and you can't
tell it was done.

On Tue, Nov 19, 2013 at 5:35 PM, Poul-Henning Kamp <phk@phk.freebsd.dk>wrote:

> In message <
> CAP+FsNdj-Ng02OA8CKT11fiVBp-zYwdYH9v+-ZZ+eCLMyX3w8g@mail.gmail.com>
> , Roberto Peon writes:
> >Being able to run a handshake in parallel with whatever else can only
> >happen when one doesn't need or want the integrity handshake, which is
> >necessary for detecting a malicious filtering MITM (and yes one can never
> >*prevent* such, but detection is quite important).
> My impression of the average site needing protection is that they
> send me 100k of graphics to wrap around the two protected entry
> fields for "username" and "password".
> I dont get the impression that they're particularly worried about
> the integrity of the stock-photo of some smiling model or for
> that matter the company logo or...
> --
> Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
> phk@FreeBSD.ORG         | TCP/IP since RFC 956
> FreeBSD committer       | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by incompetence.
Received on Wednesday, 20 November 2013 01:40:33 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:20 UTC