- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Sat, 1 Feb 2014 01:42:43 -0800
- To: Mark Nottingham <mnot@mnot.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Jan 31, 2014, at 8:36 PM, Mark Nottingham wrote: >> The "https" scheme (Section 2.7.2) is intended to prevent (or at >> least reveal) many of these potential attacks on establishing >> authority, assuming the negotiated TLS connection is secured in a way >> that verifies the communicating server's identity matches the target >> URI's authority component (see [RFC2818] and [Georgiev]). > > Given the state of the world, this seems like a huge assumption — can we at least acknowledge that here be dragons as well? Yep, the paper by Georgiev et al. is a catalog of dragons with real examples and suggestions. I will split that into two sentences so that the reason to look at the paper is clear. ....Roy
Received on Saturday, 1 February 2014 09:43:07 UTC