comprehensive TLS is not the solution, it's a bug ... (was 2 questions)

On Mon, March 30, 2015 22:33, Dan Anderson wrote:
>> think of someone or company uses Internet for e-commerce; e.g. presenting
>> his products is public for anybody; this doesn't need to be presented in
>> TLS,
>
> Is this still a valid assumption?

Yes, why see below ...

> I might not particularly, initially, care about confidentiality.  But I
> think I would still care about the integrity benefits (Am I talking to the
> site I think I am talking to?, is there a man in the middle?, etc.)

just look at this screens-shot
http://imgbin.org/images/23055.png
(this was made at http://www.zalando.at/ - I'm Austrian and this is a
internet shop, but ... - my proxy blocks advertising in a very agressive
way)

> I can't think of a case where I would not want this assurance.

do you still think TLS would give you the "assurance", everything in the
browser windows comes from the host shown in the address bar, even when
its the kidding green bar?

> And I can think of all sort of nefarious things to do to others when they
> don't have this assurance.

really?

> So I am disappointed that we are not taking the opportunity to fix this.

Yes, fix this by only allowing relative URLs inside https-sites ..., or in
other words, restricting access to ONLY the host shown in the address bar,
when presenting the site with TLS in the browser windows ...

Much luck ;-)

by the way:
can you please read this:
https://datatracker.ietf.org/doc/draft-hoehlhubmer-https-addon/
I want this to be a RFC

Thanks,
Walter

p.s. guess why the garbage collection isn't escorted by the police,
but the transport of money is ...

Received on Tuesday, 31 March 2015 05:30:40 UTC