W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: New Version Notification for draft-nottingham-http2-encryption-02.txt

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 16 Dec 2013 09:43:38 -0800
Message-ID: <CABkgnnV4MoFujtjqwW=edK1VCz8o4TixXE4QWH36GeNOah7HFw@mail.gmail.com>
To: Yoav Nir <synp71@live.com>
Cc: Christian Huitema <huitema@huitema.net>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 16 December 2013 04:02, Yoav Nir <synp71@live.com> wrote:
> But how can you get an authentic redirect, if hotmail.com does not have a
> CA-issued certificate? And if it does, why not use that rather than a
> self-signed certificate?

That was somewhat the point of the comment I think.  If you are going
to avoid getting a good certificate, then you also avoid all the
advantages, like resilience against active attacks like that.

A self-signed certificate does allow for things that are TOFU-like,
but not perfectly.  Things like CT help too.  Obviously,
http://hotmail.com should have a certificate that is signed by a CA
and HSTS turned on.  (Sadly, in reality, it has the former; instead of
the latter, it provides a P3P header :( )  Those things cost.

As an aside, I really would like people to recognize the non-monetary
costs here, which are far more relevant.
Received on Monday, 16 December 2013 17:44:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:21 UTC