- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Mon, 16 Dec 2013 18:02:46 +0000
- To: Martin Thomson <martin.thomson@gmail.com>, Yoav Nir <synp71@live.com>
- CC: Christian Huitema <huitema@huitema.net>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 12/16/2013 05:43 PM, Martin Thomson wrote: > On 16 December 2013 04:02, Yoav Nir <synp71@live.com> wrote: >> But how can you get an authentic redirect, if hotmail.com does not have a >> CA-issued certificate? And if it does, why not use that rather than a >> self-signed certificate? > > That was somewhat the point of the comment I think. If you are going > to avoid getting a good certificate, then you also avoid all the > advantages, like resilience against active attacks like that. > > A self-signed certificate does allow for things that are TOFU-like, > but not perfectly. Things like CT help too. But afaik CT doesn't help with self-signed or equivalent TOFU things as it relies on the CAs to avoid the log being spammed. If there were a way to let web sites use CT for self-signed certs, that'd be interesting but I thought that the CT folks didn't like that idea. S. > Obviously, > http://hotmail.com should have a certificate that is signed by a CA > and HSTS turned on. (Sadly, in reality, it has the former; instead of > the latter, it provides a P3P header :( ) Those things cost. > > As an aside, I really would like people to recognize the non-monetary > costs here, which are far more relevant. > > >
Received on Monday, 16 December 2013 18:03:09 UTC