W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Re: Trusted Proxy Alternatives Analysis

From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Date: Tue, 11 Feb 2014 20:05:40 +0100
Message-ID: <8eba8bb7192bdf7848d798171a8271f0.squirrel@arekh.dyndns.org>
To: "Mark Nottingham" <mnot@mnot.net>
Cc: "Nicolas Mailhot" <nicolas.mailhot@laposte.net>, "William Chan (陈智昌)" <willchan@chromium.org>, "Peter Lepeska" <bizzbyster@gmail.com>, "Frode Kileng" <frodek@tele.no>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>

Le Mar 11 février 2014 03:39, Mark Nottingham a écrit :
> Nicolas,
>
> Can you expand upon that? A throwaway dismissal like that doesn't really
> help.

The integrity hash is buried in the html page (content). Therefore, when a
web client will perform a GET on one of those resources, proxies will only
see the URL and have no way to know it should be checked against
something.

For the security to be effective the integrity metadata needs to be
propagated in the web client http commands.

Regards,

-- 
Nicolas Mailhot
Received on Tuesday, 11 February 2014 19:06:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:24 UTC