Re: http/1 opportunistic encryption from Martin Thomson on 2015-06-17 (ietf-http-wg@w3.org from April to June 2015)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 17 Jun 2015 09:25:50 -0700
To: Stefan Eissing <stefan.eissing@greenbytes.de>
Cc: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABkgnnWT3kKZq2=RJ3z0pv94SRFnfpy_6W7prGPeZUfV0XbiFQ@mail.gmail.com>

On 17 June 2015 at 01:50, Stefan Eissing <stefan.eissing@greenbytes.de> wrote:
> Well, it's the server that announces the Alt-Svc, so it has to know what it's doing - as with everything else. I


The concern is that it might not be the server that provided the
announcement.  It could have been a rogue resource that set a header
field, or a MitM.  One attack of concern is where the server releases
a secure cookie into an insecure context.

Received on Wednesday, 17 June 2015 16:26:18 UTC