- From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
- Date: Tue, 1 Apr 2014 15:39:08 +0300
- To: Yoav Nir <ynir.ietf@gmail.com>
- Cc: Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Apr 01, 2014 at 03:26:17PM +0300, Yoav Nir wrote: > Yoav > > On Apr 1, 2014, at 3:21 PM, Ilari Liusvaara <ilari.liusvaara@elisanet.fi> wrote: > > > > That looks to be vulernable to forwarding and MITM attacks... > > > Sure, but not more so than regular server-authenticated HTTPS. > > We can get all fancy and tie it to extractors or channel bindings. The question is whether we want just mutual authentication or whether we want to foil MitM attacks and proxies while we’re at it. > > Foiling MitM has the downside (or upside) of making this not work from behind next generation firewalls. Suppose that user visits a maliscous site. What is to prevent that site from contacting target site and forwarding authentication exchange across (with who knows what other headers and payload)? -Ilari
Received on Tuesday, 1 April 2014 12:39:31 UTC