RE: Fwd: New Version Notification for draft-nottingham-http2-encryption-02.txt from Christian Huitema on 2013-12-16 (ietf-http-wg@w3.org from October to December 2013)

From: Christian Huitema <huitema@huitema.net>
Date: Sun, 15 Dec 2013 16:37:16 -0800
To: "'Yoav Nir'" <synp71@live.com>, <ietf-http-wg@w3.org>
Message-ID: <085e01cef9f6$f9bbd270$ed337750$@huitema.net>

From: Yoav Nir [mailto:synp71@live.com], Sunday, December 15, 2013 3:53 AM

> No scary UI means that a MitM or someone who has compromised the DNS can 
> hijack your connection, show a self-signed cert, and get no indication 
> to the user that something is wrong.  So (let's use hotmail, because not 
> all examples have to be gmail):
>
> http://hotmail.com  redirects to https://selfsigned.live.com  which has 
> a self-signed certificate, and everything looks fine.  Except it's an 
> attacker.

The problem is really the insecure redirect, not the use of a self-signed certificate. We could have: http://hotmail.com  redirects to https://recorder.dgse.fr  which has  a CA-signed certificate, and everything looks fine. The only protection against that one is to connect to "https://hotmail.com," and get an authentic redirect if needed. 

-- Christian Huitema

Received on Monday, 16 December 2013 00:38:42 UTC