- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Mon, 16 Dec 2013 09:43:38 -0800
- To: Yoav Nir <synp71@live.com>
- Cc: Christian Huitema <huitema@huitema.net>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 16 December 2013 04:02, Yoav Nir <synp71@live.com> wrote: > But how can you get an authentic redirect, if hotmail.com does not have a > CA-issued certificate? And if it does, why not use that rather than a > self-signed certificate? That was somewhat the point of the comment I think. If you are going to avoid getting a good certificate, then you also avoid all the advantages, like resilience against active attacks like that. A self-signed certificate does allow for things that are TOFU-like, but not perfectly. Things like CT help too. Obviously, http://hotmail.com should have a certificate that is signed by a CA and HSTS turned on. (Sadly, in reality, it has the former; instead of the latter, it provides a P3P header :( ) Those things cost. As an aside, I really would like people to recognize the non-monetary costs here, which are far more relevant.
Received on Monday, 16 December 2013 17:44:05 UTC