- From: Eliot Lear <lear@cisco.com>
- Date: Mon, 30 Nov 2015 13:18:06 +0100
- To: Roland Zink <roland@zinks.de>, ietf-http-wg@w3.org
- Message-ID: <565C3E7E.8080705@cisco.com>
Hi Roland, On 11/30/15 12:50 PM, Roland Zink wrote: > How is this different from the current web model allowing ads to be > served from everywhere? There is no guarantee that the content can't > be hijacked. I would say that those who reference those ads have a certain responsibility to see that they are clean, but other than that I'm not sure how the question is relevant. The approach introduces a new vector and it should thus be addressed. >> But I would suggest that there are mitigations to this attack, one such >> being that the content is attested to by a malware protection system >> (McAfee, Kaspersky, etc) such that server might trust it, and might >> otherwise reject such content. > Do you want to allow third parties access to the content? "Want" may be a bit strong. Would I suffer it? Possibly. I would not want to receive infected content. But heck, what I wrote above was meant more as way to prove to myself, if nobody else, that there is at least one approach that can be employed to mitigate the threat. Whether server administrators use that method is another story. Whether there are other approaches is also a very fair question as far as I am concerned. Eliot
Received on Monday, 30 November 2015 12:18:37 UTC