Re: http/1 opportunistic encryption

On 17 June 2015 at 01:50, Stefan Eissing <> wrote:
> Well, it's the server that announces the Alt-Svc, so it has to know what it's doing - as with everything else. I

The concern is that it might not be the server that provided the
announcement.  It could have been a rogue resource that set a header
field, or a MitM.  One attack of concern is where the server releases
a secure cookie into an insecure context.

Received on Wednesday, 17 June 2015 16:26:18 UTC